Vulnerability Description
lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.2.8 |
Related Weaknesses (CWE)
References
- https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f0885Patch
- https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3bExploitIssue TrackingPatch
- https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f0885Patch
- https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3bExploitIssue TrackingPatch
FAQ
What is CVE-2024-1741?
CVE-2024-1741 is a vulnerability with a CVSS score of 9.1 (CRITICAL). lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being re...
How severe is CVE-2024-1741?
CVE-2024-1741 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-1741?
Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.