CVE-2024-4154

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-4154
In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f
https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f
Configurations

No configuration.

History

21 Nov 2024, 09:42

Type Values Removed Values Added
References () https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f - () https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f -
Summary
  • (es) En lunary-ai/lunary versión 1.2.2, una vulnerabilidad de sincronización incorrecta permite a usuarios sin privilegios cambiar el nombre de proyectos a los que no tienen acceso. Específicamente, un usuario sin privilegios puede enviar una solicitud PATCH al endpoint del proyecto con un nuevo nombre para un proyecto, a pesar de no tener los permisos necesarios o no estar asignado al proyecto. Este problema permite la modificación no autorizada de los nombres de los proyectos, lo que podría generar confusión o acceso no autorizado a los recursos del proyecto.

21 May 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-21 18:15

Updated : 2024-11-21 09:42

NVD link : CVE-2024-4154

Mitre link : CVE-2024-4154

CVE.ORG link : CVE-2024-4154

JSON object : View

Products Affected

No product.

CWE
CWE-821

Incorrect Synchronization


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024