CVE-2024-9098 — MEDIUM (6.1)

Q: How severe is CVE-2024-9098?

CVE-2024-9098 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-9098?

Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.

Vulnerability Description

In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict admins from inviting users with billing roles. As a result, admins can circumvent the intended access control, posing a risk to the organization's financial resources.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Lunary	Lunary	< 1.4.30

Related Weaknesses (CWE)

CWE-863

References

https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcPatch
https://huntr.com/bounties/75d466ae-8591-44d5-9160-eea7cad0c4fcExploitThird Party Advisory

FAQ

What is CVE-2024-9098?

CVE-2024-9098 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing reso...

How severe is CVE-2024-9098?

CVE-2024-9098 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-9098?

Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.