How severe is CVE-2024-4146?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2024-4146?

This is classified as CWE-863, which is a common weakness in software security.

CVE-2024-4146 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

Related Vulnerabilities

CVE-2001-1155

CRITICAL

CVSS:9.8(Critical)

TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass i...

CWE-8632001

CVE-2008-7109

CRITICAL

CVSS:9.8(Critical)

The Scanner File Utility (aka listener) in Kyocera Mita (KM) 3.3.0.1 allows remote attackers to bypass authorization and upload arbitrary files to the client system via a modified program that does no...

CWE-8632008

CVE-2010-1435

CRITICAL

CVSS:9.8(Critical)

Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the dat...

CWE-8632010

CVE-2012-6094

CRITICAL

CVSS:9.8(Critical)

cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system

CWE-8632012

CVE-2013-2198

CRITICAL

CVSS:9.8(Critical)

The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted username.

CWE-8632013

CVE-2016-20001

CRITICAL

CVSS:9.8(Critical)

The REST/JSON project 7.x-1.x for Drupal allows node access bypass, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy.

CWE-8632016