CVE-2024-3379 – An incorrect authorization vulnerability in lun... (How to Fix)

Q: What is the severity of CVE-2024-3379?

CVE-2024-3379 has a CVSS score of 8.1 (HIGH). An incorrect authorization vulnerability in lunary-ai/lunary allows users with 'Member' role to regenerate private keys for projects they shouldn't have access to. This affects versions 1.2.2 through 1.2.6, potentially compromising project security and data integrity.

📋 TL;DR

An incorrect authorization vulnerability in lunary-ai/lunary allows users with 'Member' role to regenerate private keys for projects they shouldn't have access to. This affects versions 1.2.2 through 1.2.6, potentially compromising project security and data integrity.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: 1.2.2 through 1.2.6

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using vulnerable versions regardless of configuration.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users regenerate project private keys, gaining full access to sensitive project data, potentially leading to data theft, manipulation, or complete project compromise.

🟠

Likely Case

Internal users with Member roles accidentally or intentionally regenerate keys for projects they shouldn't access, causing service disruption and requiring key rotation.

🟢

If Mitigated

With proper role-based access controls, only authorized administrators can regenerate keys, maintaining project isolation and security.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated Member role access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.7

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54

Restart Required: Yes

Instructions:

1. Backup your current installation. 2. Update lunary to version 1.2.7 or later using your package manager. 3. Restart the lunary service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Temporary Role Restriction

all

Temporarily restrict Member role permissions or elevate authorization checks for key regeneration endpoints.

Modify authorization middleware to enforce project membership checks for /api/projects/*/regenerate-key endpoints

🧯 If You Can't Patch

Immediately audit all project key regeneration events in logs for unauthorized attempts.
Temporarily disable key regeneration functionality for non-admin users until patching is possible.

🔍 How to Verify

Check if Vulnerable:

Check your lunary version: if it's between 1.2.2 and 1.2.6 inclusive, you are vulnerable.

Check Version:

Check package.json or run: npm list lunary-ai/lunary

Verify Fix Applied:

After updating to 1.2.7+, test that Member role users cannot regenerate keys for projects they aren't assigned to.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /api/projects/*/regenerate-key endpoints
Key regeneration events from non-admin users for projects they aren't members of

Network Indicators:

HTTP 200 responses to key regeneration requests from unauthorized IPs/users

SIEM Query:

source="lunary" AND (uri_path="/api/projects/*/regenerate-key" AND user_role="Member")

📊 Metadata

CVE ID: CVE-2024-3379

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

Published: November 14, 2024

Last Updated: November 18, 2024

🔗 References

https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 Patch
https://huntr.com/bounties/739df024-a112-47aa-b51d-988c3f855e92 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3379, you might also want to check these: