CVE-2024-3379

Public Exploit

Incorrect Authorization in lunary-ai/lunary

Description

In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.

References

Link	Tags
https://huntr.com/bounties/739df024-a112-47aa-b51d-988c3f855e92	third party advisory patch issue tracking exploit
https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54	patch

Frequently Asked Questions

What is the severity of CVE-2024-3379?: CVE-2024-3379 has been scored as a high severity vulnerability.
How to fix CVE-2024-3379?: To fix CVE-2024-3379, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-3379 being actively exploited in the wild?: It is possible that CVE-2024-3379 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-3379?: CVE-2024-3379 affects lunary-ai lunary-ai/lunary.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions