CVE-2024-3504

Exploit

EPSS 0.14%
Veröffentlicht 06.06.2024 18:15:17
Zuletzt bearbeitet 15.10.2025 13:15:43
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version < 1.2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.344

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
security@huntr.dev	8.1	2.8	5.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f

Patch

https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-3504

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3504

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3504

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-3504