Home » Database

AVID-2026-R1402

Description

Session Reuse Vulnerability in lunary-ai/lunary (CVE-2024-1902)

Details

lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker can exploit this by using an old authorization token to send a PATCH request, modifying the organization’s name even after being removed from the organization. This issue is due to incorrect synchronization and affects the orgs.patch route.

Reason for inclusion in AVID: CVE-2024-1902 describes a session reuse vulnerability in lunary-ai/lunary that allows an attacker with an old token to modify organization data, indicating a security vulnerability in a software component commonly used in AI platforms. This component is part of the software stack that builds/deploys AI systems, aligning with general-purpose AI supply chain concerns. Sufficient evidence is provided via the CVE entry and related references. Therefore, it meets all four criteria.

References

Affected or Relevant Artifacts

  • Developer: lunary-ai
  • Deployer: lunary-ai
  • Artifact Details:
TypeName
Systemlunary-ai/lunary

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score7.5
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity Impact🔴 High
Availability ImpactNONE

CWE

IDDescription
CWE-821CWE-821 Incorrect Synchronization

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-04-10
  • Version: 0.3.3
  • AVID Entry