Lunary Improper Privilege Management Vulnerability in Models Modification

A vulnerability in Lunary AI's application version 1.5.0 allows users with viewer roles to improperly modify models owned by others. The issue arises from the PATCH endpoint for models, which lacks adequate privilege checks. This oversight enables low-privilege users to update models they should not have access to, potentially leading to unauthorized changes in critical resources and undermining the system's integrity and reliability.

Impact

Exploitation of this vulnerability could result in unauthorized modifications to models, allowing users to change critical data or resources that should be protected.

Reproduction

To reproduce this vulnerability, a user with a viewer role can send a PATCH request to the models endpoint, targeting a model owned by another user. The request can include unauthorized changes, which will be applied without proper privilege verification.

Remediation

Users can update to Lunary version 1.5.1, where this vulnerability has been addressed.