Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2024-1902
Analyzed
More InfoOfficial Page
Source-security@huntr.dev
View Known Exploited Vulnerability (KEV) details
Published At-10 Apr, 2024 | 17:15
Updated At-10 Jan, 2025 | 14:29

lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker can exploit this by using an old authorization token to send a PATCH request, modifying the organization's name even after being removed from the organization. This issue is due to incorrect synchronization and affects the orgs.patch route.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Secondary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Lunary LLC
lunary
>>lunary>>Versions before 1.2.8(exclusive)
cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-821Secondarysecurity@huntr.dev
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: CWE-821
Type: Secondary
Source: security@huntr.dev
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2security@huntr.dev
Patch
https://huntr.com/bounties/e536310e-abe7-4585-9cf6-21f77390a5e8security@huntr.dev
Exploit
Issue Tracking
Patch
Third Party Advisory
https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2af854a3a-2127-422b-91ae-364da2661108
Patch
https://huntr.com/bounties/e536310e-abe7-4585-9cf6-21f77390a5e8af854a3a-2127-422b-91ae-364da2661108
Exploit
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2
Source: security@huntr.dev
Resource:
Patch
Hyperlink: https://huntr.com/bounties/e536310e-abe7-4585-9cf6-21f77390a5e8
Source: security@huntr.dev
Resource:
Exploit
Issue Tracking
Patch
Third Party Advisory
Hyperlink: https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://huntr.com/bounties/e536310e-abe7-4585-9cf6-21f77390a5e8
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Issue Tracking
Patch
Third Party Advisory
Change History
0Changes found
Details not found