CVE-2024-9096
📋 TL;DR
This vulnerability allows low-privilege users to modify checklists in lunary-ai/lunary version 1.4.28 by exploiting missing access controls on the /checklists/:id PATCH endpoint. Any user associated with a project can tamper with checklist data, potentially disrupting workflows and business logic. Organizations using the affected version are at risk.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could systematically alter or delete critical checklists, causing project failures, data corruption, and business process disruption across the entire application.
Likely Case
Accidental or intentional modification of checklists by unauthorized users leads to workflow errors, incorrect data, and reduced system integrity within specific projects.
If Mitigated
With proper role-based access controls, only authorized users (project owners/admins) can modify checklists, maintaining data integrity and workflow reliability.
🎯 Exploit Status
Exploitation requires authenticated low-privilege access; attackers can use standard HTTP PATCH requests to modify checklist endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit a8d7b2959e87c30fbafdb12af7ffa093385dcc60
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60
Restart Required: No
Instructions:
1. Update to the latest version of lunary-ai/lunary. 2. Ensure the commit a8d7b2959e87c30fbafdb12af7ffa093385dcc60 is applied. 3. Verify that access controls are properly implemented on the /checklists/:id route.
🔧 Temporary Workarounds
Implement middleware access control
allAdd custom middleware to the /checklists/:id PATCH route to verify user roles (e.g., project owner or admin) before allowing modifications.
Disable checklist modification endpoints
allTemporarily disable or restrict access to the /checklists/:id PATCH endpoint until patching is complete.
🧯 If You Can't Patch
- Implement network-level access controls to restrict PATCH requests to the /checklists/:id endpoint from unauthorized IPs or users.
- Monitor and audit all PATCH requests to the /checklists/:id endpoint for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if your lunary version is 1.4.28 and test if low-privilege users can successfully send PATCH requests to /checklists/:id endpoints.Check Version:
Check the package.json or application version endpoint for lunary version.Verify Fix Applied:
After updating, verify that low-privilege users receive access denied errors when attempting PATCH requests to /checklists/:id, while authorized users can still modify.📡 Detection & Monitoring
Log Indicators:
- Unusual PATCH requests to /checklists/:id from low-privilege user accounts
- Failed access attempts or authorization errors on checklist modification endpoints
Network Indicators:
- HTTP PATCH requests to /checklists/:id endpoints from unexpected user roles or IP addresses
SIEM Query:
source="application_logs" AND (url_path="/checklists/*" AND http_method="PATCH") AND user_role!="admin" AND user_role!="owner"