← Volver a CVEs

CVE-2024-1741

CRITICAL

9.1

Descripcion

lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data.

Detalles CVE

Puntuacion CVSS v3.19.1

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado4/10/2024

Ultima modificacion1/31/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

lunary:lunary

Debilidades (CWE)

CWE-863CWE-863

Referencias

https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2(security@huntr.dev)

https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3b(security@huntr.dev)

https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2(af854a3a-2127-422b-91ae-364da2661108)

https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3b(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.