CVE-2024-3504: Improper Access Control in lunary-ai/lunary
First published: Thu Jun 06 2024(Updated: )
An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| lunary lunary | <1.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-3504?
CVE-2024-3504 has a high severity level due to its potential impact on user access control and project deletion.
How do I fix CVE-2024-3504?
To fix CVE-2024-3504, upgrade to lunary version 1.2.7 or higher, which resolves the improper access control issue.
Who is affected by CVE-2024-3504?
CVE-2024-3504 affects users of lunary-ai/lunary versions up to and including 1.2.2.
What can an attacker do with CVE-2024-3504?
An attacker with admin privileges can exploit CVE-2024-3504 to elevate a user's access and potentially delete projects within the organization.
Is CVE-2024-3504 publicly disclosed?
Yes, CVE-2024-3504 is a publicly disclosed vulnerability that users should address promptly.
- agent/weakness
- agent/references
- agent/title
- agent/first-publish-date
- agent/description
- agent/type
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/lunary
- canonical/lunary lunary