Strix
26.1K

CVE-2024-10275

HIGHCVSS 7.3/10EPSS 0.47%

Last modified

CVE-2024-10275 is a high-severity vulnerability rated 7.3/10 on the CVSS scale. In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based access control. EPSS estimates a 0.47% chance of exploitation in the next 30 days.

Description

In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based access control. Only users with the 'owner' role should be allowed to invite members with billing permissions. This flaw allows admins to circumvent those restrictions, gaining unauthorized access and control over billing information, posing a risk to the organization’s financial resources.

Metrics

CVSS 3.0
7.3/10

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS Probability
0.47%

37.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LunaryLunary< 1.5.7

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-10275?
In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based access control. Only users with the 'owner' role should be allowed to invite members with billing permissions. This flaw allows admins to circumvent those restrictions, gaining unauthorized access and control over billing information, posing a risk to the organization’s financial resources.
How severe is CVE-2024-10275?
CVE-2024-10275 has a CVSS score of 7.3/10 (HIGH severity). The EPSS model estimates a 0.47% probability of exploitation in the next 30 days.
How do I fix CVE-2024-10275?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-10275?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST