CVE-2024-5248 - In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing

CVE-2024-5248

Summary

In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vulnerability allows unauthorized access to sensitive user information, violating the intended access controls.

References

Vulnerable Configurations

cpe:2.3:a:lunary:lunary:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.8:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.9:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.9:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.10:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.10:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.11:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.11:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.13:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.13:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.14:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.14:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.15:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.15:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.16:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.16:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.17:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.17:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.18:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.18:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.19:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.19:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.20:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.20:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.21:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.21:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.22:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.22:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.23:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.23:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.24:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.24:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.25:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.25:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.26:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.26:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.27:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.27:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.28:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.28:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.29:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.29:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.30:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.30:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.31:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.31:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.32:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.32:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.33:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.33:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.34:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.2.34:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.4:-:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.4:-:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.4:alpha1:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.4:alpha1:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.5:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.6:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.7:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.7:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.8:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.8:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.9:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.9:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.10:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.10:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.11:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.3.11:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.3:-:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.3:-:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.3:alpha2:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.3:alpha2:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.8:*:*:*:*:*:*:*
cpe:2.3:a:lunary:lunary:1.4.8:*:*:*:*:*:*:*

CVSS

Base:	None
Impact:
Exploitability:

CWE

CWE-862

CAPEC

Access

Vector	Complexity	Authentication

Impact

Confidentiality	Integrity	Availability

Last major update

03-11-2024 - 17:15

Published

06-06-2024 - 19:16

Last modified

03-11-2024 - 17:15