CVE-2024-6582

Опубликовано: 13 сент. 2024

Источник: nvd

CVSS3: 6.5

CVSS3: 4.3

EPSS Низкий

Описание

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The saml.ts file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to unauthorized access and potential account takeover if the email of a user in the target organization is known.

Ссылки

https://github.com/lunary-ai/lunary/commit/1f043d8798ad87346dfe378eea723bff78ad7433
Patch
https://huntr.com/bounties/251d138c-3911-4a81-96e5-5a4ab59a0b59
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

Версия до 1.4.9 (исключая)

EPSS

Процентиль: 40%

0.00184

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-306

Связанные уязвимости

GHSA-w73r-8mm4-cfvf

CVSS3: 6.5

github

больше 1 года назад

Withdrawn Advisory: Lunary Improper Authentication vulnerability

EPSS

Процентиль: 40%

0.00184

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-306