Lunary Privilege Escalation Vulnerability Allowing Unauthorized Billing Access

A privilege escalation vulnerability has been identified in Lunary version 1.5.5, where administrators without direct access to billing resources can grant themselves billing permissions. This flaw allows them to manage billing, bypassing the intended role-based access control that restricts such actions to users with the 'owner' role. The vulnerability poses a risk to the organization's financial resources by enabling unauthorized access and control over billing information.

Impact

Exploitation of this vulnerability could lead to unauthorized access and management of billing information, allowing admins to manipulate financial resources without proper authorization.

Reproduction

To reproduce this vulnerability, an admin user must access the user management features of the application. From there, the admin can modify the permissions of other users to include billing access, despite not having the authority to manage billing resources directly. This can be done by selecting a user and changing their role to one that includes billing permissions, effectively circumventing the access controls that are supposed to limit such actions to 'owner' role users.

Remediation

Users are advised to update to the latest version of Lunary where this vulnerability has been addressed.