CVE-2024-4154
Last modified
CVE-2024-4154 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. EPSS estimates a 0.30% chance of exploitation in the next 30 days.
Description
In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.2.26 |
References
- https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30fExploit, Issue Tracking, Patch, Third Party Advisory
- https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30fExploit, Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-4154?
How severe is CVE-2024-4154?
How do I fix CVE-2024-4154?
Are you affected by CVE-2024-4154?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST