Home > Vulnerability Database > CVE-2024-4146

Mend.io Vulnerability Database

CVE-2024-4146

Date: June 8, 2024

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the "checkProjectAccess" method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the "account_project" table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

Language: TYPE_SCRIPT

Severity Score

9.8

Related Resources (5)

Url: https://github.com/lunary-ai/lunary

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4146

Url: https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7

Url: https://huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7

Url: https://www.mend.io/vulnerability-database/CVE-2024-4146

Severity Score

9.8

Weakness Type (CWE)

Improper Authorization

CWE-285

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4146

Date: June 8, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?