CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-4154: Incorrect Synchronization in lunary-ai/lunary

7.1 CVSS

Description

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

Classification

CVE ID: CVE-2024-4154

CVSS Base Severity: HIGH

CVSS Base Score: 7.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Affected Products

Vendor: lunary-ai

Product: lunary-ai/lunary

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.91% (scored less or equal to compared to others)

EPSS Date: 2025-03-01 (when was this score calculated)

References

https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f
https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7

Timeline

2025-02-01 00:30:28 UTC
CVE

Incorrect Synchronization in lunary-ai/lunary