CVE-2024-6086: Improper Access Control in lunary-ai/lunary
First published: Thu Jun 27 2024(Updated: )
In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| lunary lunary | =1.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-6086?
CVE-2024-6086 has a medium severity rating due to improper access control.
How do I fix CVE-2024-6086?
To fix CVE-2024-6086, update to a newer version of lunary that implements the proper access controls.
Who is affected by CVE-2024-6086?
Any authenticated user in version 1.2.7 of lunary is affected by CVE-2024-6086.
What are the implications of CVE-2024-6086?
CVE-2024-6086 allows any user, even those with the lowest privileges, to change the name of an organization.
Is there a workaround for CVE-2024-6086?
Currently, there is no known workaround for CVE-2024-6086 aside from updating the software.
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/epss
- collector/epss-latest
- source/FIRST
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/lunary
- canonical/lunary lunary
- version/lunary lunary/1.2.7