CVE-2024-9098
📋 TL;DR
This privilege escalation vulnerability allows administrators in lunary-ai/lunary to invite new users with billing permissions, bypassing intended access controls. This enables unauthorized access to billing resources and potential financial impact. Organizations using affected versions of lunary are at risk.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Administrators could grant billing access to unauthorized users, leading to financial fraud, unauthorized billing changes, or data exfiltration of sensitive billing information.
Likely Case
Administrators inadvertently or intentionally create users with billing permissions beyond their intended scope, potentially causing billing errors or unauthorized access to financial resources.
If Mitigated
With proper role-based access controls and monitoring, the impact is limited to potential minor configuration errors that can be quickly detected and corrected.
🎯 Exploit Status
Exploitation requires admin privileges and knowledge of the user invitation endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.30
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60
Restart Required: Yes
Instructions:
1. Update lunary to version 1.4.30 or later. 2. Restart the lunary service. 3. Verify the fix by checking that admin users cannot invite users with billing permissions.
🔧 Temporary Workarounds
Disable user invitation feature
allTemporarily disable the user invitation functionality until patching is complete.
# Configuration depends on deployment method. Check lunary documentation for disabling user invitations.
Implement additional access controls
allAdd middleware or proxy rules to restrict access to user creation endpoints.
# Implementation varies based on infrastructure. Consider WAF rules or API gateway restrictions.
🧯 If You Can't Patch
- Implement strict monitoring of user creation events and billing permission assignments.
- Reduce admin privileges to only essential personnel and implement approval workflows for user creation.
🔍 How to Verify
Check if Vulnerable:
Check if lunary version is below 1.4.30. Attempt to invite a user with billing permissions as an admin (test in safe environment).Check Version:
Check package.json or run: npm list lunary-ai/lunary (if using npm) or check deployment manifest.Verify Fix Applied:
After updating to 1.4.30+, verify that admin users cannot successfully invite users with billing permissions.📡 Detection & Monitoring
Log Indicators:
- User creation events with billing permissions assigned
- Admin users inviting new users with billing roles
Network Indicators:
- POST requests to user invitation endpoints with billing role parameters
SIEM Query:
source="lunary" AND (event="user_created" OR event="user_invited") AND role="billing"