Vulnerability Description
An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.2.7 |
Related Weaknesses (CWE)
References
- https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f765429Patch
- https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28ExploitThird Party Advisory
- https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f765429Patch
- https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28ExploitThird Party Advisory
FAQ
What is CVE-2024-3504?
CVE-2024-3504 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability al...
How severe is CVE-2024-3504?
CVE-2024-3504 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-3504?
Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.