CVE-2024-1740 – This vulnerability allows users who have been r... (How to Fix)

Q: What is the severity of CVE-2024-1740?

CVE-2024-1740 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows users who have been removed from an organization to continue accessing and manipulating logs and project data using old authorization tokens. The lunary web application fails to properly invalidate tokens upon user removal, enabling unauthorized access to sensitive information. All organizations using lunary-ai/lunary version 1.0.1 are affected.

📋 TL;DR

This vulnerability allows users who have been removed from an organization to continue accessing and manipulating logs and project data using old authorization tokens. The lunary web application fails to properly invalidate tokens upon user removal, enabling unauthorized access to sensitive information. All organizations using lunary-ai/lunary version 1.0.1 are affected.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: 1.0.1

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of lunary version 1.0.1 are vulnerable regardless of configuration. The vulnerability is in the core authentication token handling logic.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious former employee could access, modify, or delete all organizational logs, compromise project data, and exfiltrate sensitive information including external user details, potentially causing data breaches and operational disruption.

🟠

Likely Case

Former employees or contractors retain unintended access to organizational logs and project data, leading to unauthorized data viewing, potential data manipulation, and privacy violations.

🟢

If Mitigated

With proper token invalidation and access controls, removed users would be immediately denied access, preventing any unauthorized actions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a previously valid authorization token from a user who has been removed from an organization. The attack is simple to execute once the token is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit c57cd50fa0477fd2a2efe60810c0099eebd66f54

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54

Restart Required: Yes

Instructions:

1. Update lunary to the latest version containing commit c57cd50fa0477fd2a2efe60810c0099eebd66f54. 2. Restart the lunary application. 3. Force all users to re-authenticate to invalidate old tokens.

🔧 Temporary Workarounds

Manual Token Revocation

all

Manually revoke all existing authorization tokens and force re-authentication for all users

# Requires application-specific implementation to invalidate all tokens
# Consult lunary documentation for token management

Access Control Enhancement

all

Implement additional authorization checks at the application layer to verify user organization membership

# Add middleware to verify user organization status on each request
# Implement session validation against current organizational membership

🧯 If You Can't Patch

Implement network segmentation to isolate lunary instances and limit access to authorized users only
Deploy a web application firewall (WAF) with rules to detect and block unauthorized token usage patterns

🔍 How to Verify

Check if Vulnerable:

Check if running lunary version 1.0.1. Test by removing a test user from an organization and attempting to use their old token to access logs.

Check Version:

Check lunary version in application configuration or via package manager (e.g., 'npm list lunary' or check package.json)

Verify Fix Applied:

After patching, remove a test user and verify their old token no longer provides access to logs or project data.

📡 Detection & Monitoring

Log Indicators:

Failed authorization attempts from removed users
Log access/modification from users not in current organization membership lists
Unusual token usage patterns from previously active users

Network Indicators:

API requests with authorization tokens from users not in organization
Unusual volume of log-related requests from single tokens

SIEM Query:

source="lunary" AND (event_type="log_access" OR event_type="log_modification") AND user_id NOT IN (SELECT user_id FROM organization_members WHERE status="active")

📊 Metadata

CVE ID: CVE-2024-1740

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

Published: April 10, 2024

Last Updated: January 10, 2025

🔗 References

https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 Patch
https://huntr.com/bounties/c1a51f71-628e-4eb5-ac35-50bf64832cfd Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 Patch
https://huntr.com/bounties/c1a51f71-628e-4eb5-ac35-50bf64832cfd Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1740, you might also want to check these: