CVE-2024-1625 — MEDIUM (6.5)

Vulnerability Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Lunary	Lunary	0.3.0

Related Weaknesses (CWE)

CWE-639

References

https://github.com/lunary-ai/lunary/commit/88f98e29f19da9d1f5de45c5b163fd5b48e0bPatch
https://huntr.com/bounties/cf6dd625-e6c9-44df-a072-13686816de21ExploitIssue TrackingPatch
https://github.com/lunary-ai/lunary/commit/88f98e29f19da9d1f5de45c5b163fd5b48e0bPatch
https://huntr.com/bounties/cf6dd625-e6c9-44df-a072-13686816de21ExploitIssue TrackingPatch

FAQ

What is CVE-2024-1625?

CVE-2024-1625 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is du...

How severe is CVE-2024-1625?

CVE-2024-1625 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-1625?

Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.