Lunary API Insecure Direct Object Reference Vulnerability in Template Creation

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Lunary API, specifically in the POST /v1/templates endpoint, and affects versions prior to 0.8.8. This vulnerability enables authenticated users to create templates in other users' projects by manipulating the projectId query parameter. The issue arises from a lack of server-side validation to verify that the user owns the specified projectId.

Impact

Exploitation of this vulnerability allows for unauthorized creation of templates in another user's project.

Reproduction

To reproduce this vulnerability, log into an account and intercept a request to the POST /v1/templates endpoint using a proxy tool like Burp Suite. Modify the request to replace the projectId with that of a victim's project. This can be done by extracting the victim's project ID and the attacker's bearer token. Once the request is sent, the template will be created in the victim's project, demonstrating the IDOR vulnerability.

Remediation

Users should update to Lunary API version 1.9.23 or later, where this vulnerability has been fixed.