CVE-2024-6582

CVSS V2 None CVSS V3 None

Description

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.

Overview

CVE ID
CVE-2024-6582

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-09-13T16:11:39.817Z

Last Modified Date
2024-09-13T16:42:08.872Z

Weakness Enumerations

CWE	URL
CWE-287	http://cwe.mitre.org/data/definitions/287.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab59a0b59
https://github.com/lunary-ai/lunary/commit/1f043d8798ad87346dfe378eea723bff78ad7433

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-6582
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6582

History

Created	Old Value	New Value	Data Type	Notes
2024-09-14 13:09:58				Added to TrackCVE