CVE-2024-7476
📋 TL;DR
This broken access control vulnerability allows authenticated attackers to modify any user's templates in lunary-ai/lunary by sending crafted HTTP POST requests. Organizations using versions 1.2.7 through 1.4.2 are affected. The vulnerability enables unauthorized template manipulation despite authentication requirements.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors could systematically modify all user templates, potentially inserting malicious content, disrupting workflows, or compromising data integrity across the entire platform.
Likely Case
Attackers modify templates of specific users to disrupt their work, insert misleading information, or gain unauthorized access to template-based workflows.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated incidents that can be quickly detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but involves simple HTTP POST requests to a specific endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.3
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5
Restart Required: Yes
Instructions:
1. Backup your current deployment. 2. Update lunary to version 1.4.3 using your package manager or deployment method. 3. Restart the lunary service. 4. Verify the update was successful.
🔧 Temporary Workarounds
API Endpoint Restriction
allTemporarily restrict access to the vulnerable /v1/templates/{id}/versions endpoint using web application firewall rules or reverse proxy configuration.
# Example nginx location block to restrict POST to template versions
location ~ ^/v1/templates/.*/versions$ {
limit_except GET { deny all; }
}
🧯 If You Can't Patch
- Implement strict access controls and monitoring for template modification activities.
- Deploy web application firewall with rules to detect and block suspicious template modification patterns.
🔍 How to Verify
Check if Vulnerable:
Check if your lunary version is between 1.2.7 and 1.4.2 inclusive. Attempt to modify another user's template via POST to /v1/templates/{id}/versions while authenticated.Check Version:
Check your lunary deployment configuration or run: lunary --version or check package.json for versionVerify Fix Applied:
After updating to 1.4.3, verify that authenticated users can only modify their own templates and receive proper authorization errors for others' templates.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /v1/templates/*/versions from single user
- Template modification requests where user ID doesn't match template owner
- Unusual template update patterns
Network Indicators:
- HTTP POST requests to template version endpoints with mismatched user/template ownership
SIEM Query:
source="lunary" AND (uri_path="/v1/templates/*/versions" AND http_method="POST") | stats count by user_id, template_id