CVE-2024-3379
published 2024-11-14CVE-2024-3379: In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for…
PriorityP348high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.39%
30.4th percentile
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| lunary-ai | lunary-ai_lunary | >= unspecified < 1.2.7 | 1.2.7 |
| lunary | lunary | >= 1.2.2 < 1.2.7 | 1.2.7 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8pg7-v7vv-p54p: In lunary-ai/lunary versions 1
ghsa_unreviewed·2024-11-14
CVE-2024-3379 [CRITICAL] CWE-863 GHSA-8pg7-v7vv-p54p: In lunary-ai/lunary versions 1
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to that project. This issue was fixed in version 1.2.7.
Jenkins
Jenkins Security Advisory 2024-03-20
vendor_jenkins·2024-03-20·CVSS 7.5
CVE-2024-22201 [HIGH] Jenkins Security Advisory 2024-03-20
Title: Jenkins Security Advisory 2024-03-20
Jenkins Security Advisory 2024-03-20
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Descriptions
HTTP/2 denial of service vulnerability in bundled Jetty
SECURITY-3379
/
CVE-2024-22201
Severity (CVSS):
High
Description:
Jenkins bundles Winstone-Je
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-14
Published