ID CVE-2024-5248
Summary In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vulnerability allows unauthorized access to sensitive user information, violating the intended access controls.
References
Vulnerable Configurations
  • cpe:2.3:a:lunary:lunary:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.19:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.20:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.20:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.21:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.21:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.22:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.22:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.23:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.23:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.24:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.24:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.25:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.25:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.26:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.26:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.27:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.27:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.28:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.28:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.29:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.29:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.30:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.30:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.31:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.31:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.32:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.32:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.33:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.33:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.34:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.34:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.4:-:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.4:-:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.4:alpha1:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.4:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.3:-:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.3:-:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.3:alpha1:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.3:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.3:alpha2:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.3:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.4.8:*:*:*:*:*:*:*
CVSS
Base: None
Impact:
Exploitability:
CWE CWE-862
CAPEC
Access
VectorComplexityAuthentication
Impact
ConfidentialityIntegrityAvailability
Last major update 03-11-2024 - 17:15
Published 06-06-2024 - 19:16
Last modified 03-11-2024 - 17:15
Back to Top