CVE-2024-3504

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-3504

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3504.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-3504

Published

2024-06-06T18:15:17Z

Modified

2025-01-15T05:13:56.620125Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.

References

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type: GIT
Repo: https://github.com/lunary-ai/lunary
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f7507f0949f6634f725ebb8da37c44f76542901f

Fixed

f7507f0949f6634f725ebb8da37c44f76542901f

Affected versions

1.*

1.2.4

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.5

v1.2.6