CVE-2024-1740

CVSS V2 None CVSS V3 None

Description

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions.

Overview

CVE ID
CVE-2024-1740

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-04-10T17:08:04.617Z

Last Modified Date
2024-04-16T11:10:33.024Z

Weakness Enumerations

CWE	URL
CWE-863	http://cwe.mitre.org/data/definitions/863.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/c1a51f71-628e-4eb5-ac35-50bf64832cfd
https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-1740
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1740

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 05:58:54				Added to TrackCVE