CVE-2024-1626

CVSS V2 None CVSS V3 None

Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.

Overview

CVE ID
CVE-2024-1626

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-16T00:00:14.496Z

Last Modified Date
2024-06-04T17:59:43.150Z

Weakness Enumerations

CWE	URL
CWE-250	http://cwe.mitre.org/data/definitions/250.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/ccc291db-ae9c-403c-b6b5-6fe3f4800933
https://github.com/lunary-ai/lunary/commit/9eb9e526edff8bf82ae032f7a04867c8d58572bc

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-1626
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1626

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 05:58:53				Added to TrackCVE