CVE-2024-1741 CRITICAL

CVE-2024-1741: Improper Authorization in lunary-ai/lunary

Vendor Lunary-Ai

Product lunary-ai/lunary

Weakness CWE-863 · Incorrect authorization

Published April 10, 2024

Last update January 31, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data.

Key dates

02Disclosure timeline

April 10, 2024 CVE published

January 31, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1741

Related vulnerabilities

Identifiers

CVE CVE-2024-1741

CWE CWE-863

CVSS 9.1 / CRITICAL

Affected versions