Vulnerability Description
In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.2.7 |
Related Weaknesses (CWE)
References
- https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66Patch
- https://huntr.com/bounties/c1a51f71-628e-4eb5-ac35-50bf64832cfdExploitIssue TrackingPatch
- https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66Patch
- https://huntr.com/bounties/c1a51f71-628e-4eb5-ac35-50bf64832cfdExploitIssue TrackingPatch
FAQ
What is CVE-2024-1740?
CVE-2024-1740 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary w...
How severe is CVE-2024-1740?
CVE-2024-1740 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-1740?
Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.