[GHSA-6p2q-8qfq-wq7x] Lunary improper access control vulnerability

[hughcrt]

Updates

• Affected products
• CVSS v3

Comments
The NPM package is not tied to this repo. This vulnerability concerns the main repo, not the NPM compagnon package.

[Copilot]

Pull Request Overview

This PR updates the advisory JSON for the Lunary vulnerability, primarily reflecting changes in the vulnerability scoring data.

• The "modified" timestamp has been updated.
• The CVSS_V3 scoring block has been removed in favor of CVSS_V4.

Comments suppressed due to low confidence (2)

advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json:4

• The updated 'modified' timestamp is a minor change; ensure that this update is consistent with audit logs and does not conflict with historical timestamp tracking.

  "modified": "2024-11-18T16:27:14Z",

advisories/github-reviewed/2024/09/GHSA-6p2q-8qfq-wq7x/GHSA-6p2q-8qfq-wq7x.json:10

• The removal of the CVSS_V3 block indicates a shift to using only CVSS_V4. Ensure that all consumers of this advisory have been updated to support the new scoring system.

  "details": "An improper access control vulnerability exists in lunary-ai/lunary prior to commit 844e8855c7a713dc7371766dba4125de4007b1cf on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.",

[advisory-database]

Hi @hughcrt! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!