CVE-2024-7475

An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5	Patch
https://huntr.com/bounties/78c824f7-3b6d-443d-bb76-0f8031c6c126	Exploit Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

04 Nov 2024, 13:55

Type	Values Removed	Values Added
First Time		Lunary Lunary lunary
CWE		NVD-CWE-Other
Summary		(es) Una vulnerabilidad de control de acceso indebido en la versión 1.3.2 de lunary-ai/lunary permite a un atacante actualizar la configuración de SAML sin autorización. Esta vulnerabilidad puede provocar la manipulación de los procesos de autenticación, solicitudes de inicio de sesión fraudulentas y robo de información de los usuarios. Se deben implementar controles de acceso adecuados para garantizar que la configuración de SAML solo pueda ser actualizada por usuarios autorizados.
References	~~() https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 -~~	() https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 - Patch
References	~~() https://huntr.com/bounties/78c824f7-3b6d-443d-bb76-0f8031c6c126 -~~	() https://huntr.com/bounties/78c824f7-3b6d-443d-bb76-0f8031c6c126 - Exploit, Issue Tracking, Third Party Advisory
CPE		cpe:2.3:a:lunary:lunary::::::::

29 Oct 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-29 13:15

Updated : 2024-11-04 13:55

NVD link : CVE-2024-7475

Mitre link : CVE-2024-7475

CVE.ORG link : CVE-2024-7475

JSON object : View

Products Affected

lunary

lunary

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2024-7475", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-10-29T13:15:09.737", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/78c824f7-3b6d-443d-bb76-0f8031c6c126", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso indebido en la versi\u00f3n 1.3.2 de lunary-ai/lunary permite a un atacante actualizar la configuraci\u00f3n de SAML sin autorizaci\u00f3n. Esta vulnerabilidad puede provocar la manipulaci\u00f3n de los procesos de autenticaci\u00f3n, solicitudes de inicio de sesi\u00f3n fraudulentas y robo de informaci\u00f3n de los usuarios. Se deben implementar controles de acceso adecuados para garantizar que la configuraci\u00f3n de SAML solo pueda ser actualizada por usuarios autorizados."}], "lastModified": "2024-11-04T13:55:37.233", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FD5C422-483D-4A50-A6B8-25C1352C3F46", "versionEndExcluding": "1.3.4"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}