Home > Vulnerability Database > CVE-2024-1740

Mend.io Vulnerability Database

CVE-2024-1740

Good to know:

Date: April 10, 2024

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions.

Language: JS

Severity Score

9.1

Related Resources (4)

Url: https://huntr.com/bounties/c1a51f71-628e-4eb5-ac35-50bf64832cfd

Url: https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1740

Url: https://www.mend.io/vulnerability-database/CVE-2024-1740

Severity Score

9.1

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version v1.2.7

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1740

Good to know:

Date: April 10, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?