What is the severity of CVE-2024-5248?

CVE-2024-5248 has a medium severity rating due to improper access control.

How do I fix CVE-2024-5248?

You can fix CVE-2024-5248 by updating lunary to version 1.4.9 or later.

Which versions of lunary are affected by CVE-2024-5248?

CVE-2024-5248 affects lunary version 1.2.5 up to, but not including, version 1.4.9.

What type of vulnerability is CVE-2024-5248?

CVE-2024-5248 is an improper access control vulnerability.

Where does the vulnerability CVE-2024-5248 exist within the software?

CVE-2024-5248 exists in the `GET /v1/users/me/org` endpoint of lunary.

Vulnerability/
CVE-2024-5248

medium

6.5

CWE

862

EPSS

0.043%

6/6/2024

21/11/2024

CVE-2024-5248: Improper Access Control in lunary-ai/lunary

First published: Thu Jun 06 2024(Updated: )

In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vulnerability allows unauthorized access to sensitive user information, violating the intended access controls.

Credit: security@huntr.dev

Affected Software	Affected Version	How to fix
lunary lunary	>=1.2.5<1.4.9

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-5248?
CVE-2024-5248 has a medium severity rating due to improper access control.
How do I fix CVE-2024-5248?
You can fix CVE-2024-5248 by updating lunary to version 1.4.9 or later.
Which versions of lunary are affected by CVE-2024-5248?
CVE-2024-5248 affects lunary version 1.2.5 up to, but not including, version 1.4.9.
What type of vulnerability is CVE-2024-5248?
CVE-2024-5248 is an improper access control vulnerability.
Where does the vulnerability CVE-2024-5248 exist within the software?
CVE-2024-5248 exists in the `GET /v1/users/me/org` endpoint of lunary.

agent/title
agent/type
agent/first-publish-date
agent/description
agent/author
agent/event
collector/epss-latest
source/FIRST
agent/epss
agent/severity
agent/softwarecombine
agent/references
agent/weakness
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/lunary
canonical/lunary lunary
version/lunary lunary/1.2.5

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.