CVE-2024-9096

In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify checklist data. This vulnerability allows any user associated with the project, regardless of their role, to modify checklists, including changing the slug or data fields, which can lead to tampering with essential project workflows, altering business logic, and introducing errors that undermine integrity.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60	Patch
https://huntr.com/bounties/653e7109-4c21-4e33-b636-7598d3202b9a	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:1.4.28:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-9096

Mitre link : CVE-2024-9096

CVE.ORG link : CVE-2024-9096

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-862

Missing Authorization

NVD-CWE-noinfo

{"id": "CVE-2024-9096", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:46.820", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/653e7109-4c21-4e33-b636-7598d3202b9a", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify checklist data. This vulnerability allows any user associated with the project, regardless of their role, to modify checklists, including changing the slug or data fields, which can lead to tampering with essential project workflows, altering business logic, and introducing errors that undermine integrity."}, {"lang": "es", "value": "En la versi\u00f3n 1.4.28 de lunary-ai/lunary, la ruta /checklists/:id permite a usuarios con pocos privilegios modificar listas de verificaci\u00f3n mediante una solicitud PATCH. Esta ruta carece de un control de acceso adecuado, como middleware, que garantice que solo los usuarios autorizados (p. ej., propietarios o administradores de proyectos) puedan modificar los datos de las listas de verificaci\u00f3n. Esta vulnerabilidad permite a cualquier usuario asociado al proyecto, independientemente de su rol, modificar las listas de verificaci\u00f3n, incluyendo la modificaci\u00f3n del slug o de los campos de datos, lo que puede provocar la manipulaci\u00f3n de flujos de trabajo esenciales del proyecto, la alteraci\u00f3n de la l\u00f3gica de negocio y la introducci\u00f3n de errores que socavan la integridad."}], "lastModified": "2025-10-15T13:15:57.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:1.4.28:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1EA5C3CD-9252-440E-A34A-6C587D2AB57D"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}