In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vulnerability allows unauthorized access to sensitive user information, violating the intended access controls.
History

Sun, 03 Nov 2024 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Sun, 03 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 17 Oct 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Lunary
Lunary lunary
Weaknesses CWE-862
CPEs cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
Vendors & Products Lunary
Lunary lunary
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:49:25.715Z

Updated: 2024-11-03T18:27:24.948Z

Reserved: 2024-05-22T21:47:13.569Z

Link: CVE-2024-5248

cve-icon Vulnrichment

Updated: 2024-08-01T21:03:11.035Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T19:16:06.917

Modified: 2024-11-21T09:47:16.293

Link: CVE-2024-5248

cve-icon Redhat

No data.