CVE-2024-6086

Exploit

EPSS 0.08%
Veröffentlicht 27.06.2024 19:15:19
Zuletzt bearbeitet 15.10.2025 13:15:49
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version1.2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.243

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security@huntr.dev	5.3	3.9	1.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643

Third Party Advisory

Exploit

https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54

https://nvd.nist.gov/vuln/detail/CVE-2024-6086

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6086

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6086

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-6086