CVE-2024-5714
📋 TL;DR
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows team members with management permissions to manipulate project identifiers in API requests. This enables them to invite users to projects in other organizations, change members between organizations with escalated privileges, and cause platform inconsistencies. The vulnerability affects users with team management permissions in multi-tenant deployments.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Attackers could escalate privileges across organizations, gain unauthorized access to sensitive projects, manipulate user memberships, and cause significant data integrity issues across the entire platform.
Likely Case
Malicious insiders or compromised accounts with team management permissions could manipulate project memberships across organizational boundaries, leading to unauthorized access and privilege escalation.
If Mitigated
With proper access controls and validation, users would only be able to manage projects within their own organization, preventing cross-organization manipulation.
🎯 Exploit Status
Exploitation requires authenticated access with team management permissions. The vulnerability is straightforward to exploit by manipulating project IDs in API requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 43206bacac3b43ad9f2db6dafd165e61a21e6b97
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/43206bacac3b43ad9f2db6dafd165e61a21e6b97
Restart Required: Yes
Instructions:
1. Update to the latest version of lunary-ai/lunary. 2. Apply the fix from commit 43206bacac3b43ad9f2db6dafd165e61a21e6b97. 3. Restart the lunary backend service. 4. Verify the fix by testing user invitation and modification endpoints.
🔧 Temporary Workarounds
Temporary API validation
allImplement middleware to validate project IDs against user's organization before processing user invitation/modification requests.
# Add validation in API middleware to check project.org_id == user.org_id
Restrict team management permissions
allTemporarily reduce the number of users with team management permissions to minimize attack surface.
# Review and update user roles to minimize team management permissions
🧯 If You Can't Patch
- Implement strict API gateway rules to validate project-organization mappings
- Enable detailed audit logging for all user invitation and modification operations
🔍 How to Verify
Check if Vulnerable:
Test if users with team management permissions can invite users to projects with organization IDs different from their own by manipulating project IDs in API requests.Check Version:
Check lunary version in package.json or via API endpoint if availableVerify Fix Applied:
Verify that API endpoints properly validate project IDs against the user's organization and reject cross-organization operations.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-organization user invitations
- Multiple failed validation attempts for project-organization mapping
- User modification requests with mismatched org_id/project_id combinations
Network Indicators:
- API requests to user invitation/modification endpoints with manipulated project IDs
- Unusual patterns of user management across different organizations
SIEM Query:
source="lunary" AND (operation="invite_user" OR operation="modify_user") AND project_org_id != user_org_id