216.73.217.64

CVE-2024-5127

· Published 06/06/2024 18:15 · Modified 06/06/2024 18:15

Labels: CVE-2024-5127 2024-06-06CVE-2024-5127CWE-284[email protected]

Essential information

Published
06/06/2024 18:15
Modified
06/06/2024 18:15
Author
Creator
CVSS
5.4 MEDIUM (v3.0)
CISA KEV
No
CWE
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS metrics

Description

In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not intended for their use. The vulnerability specifically affects the Team feature, where the backend fails to validate whether a user has paid for a plan before allowing them to send invite links with any role assigned. This could lead to unauthorized access and manipulation of project settings or data.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

References