Cyber Resilience

CVE-2024-6582

MediumPublic PoC

Published: 13 September 2024

Published
13 September 2024
Modified
03 November 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0018 40.0th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6582 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Lunary Lunary. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Trust Modification (T1484.002); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: Denial of AI Service (AML.T0029), Erode AI Model Integrity (AML.T0031).

EU & UK References

Vulnerability details

A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead…

more

to unauthorized access and potential account takeover if the email of a user in the target organization is known.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Lunary.ai (lunary-ai/lunary) is an open-source observability and evaluation platform for LLMs and AI applications, commonly used in enterprise settings for monitoring AI deployments, aligning with Enterprise AI Assistants.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1484.002 Trust Modification Defense Impairment
Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.
T1556 Modify Authentication Process Defense Impairment
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1606.002 SAML Tokens Credential Access
An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.
Why these techniques?

Broken access control enables unauthorized updates to another organization's SAML IDP settings and viewing of SSO metadata, facilitating trust modification, authentication process modification, cloud account takeover via impersonation, and SAML token forging.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0029: Denial of AI ServiceAML.T0031: Erode AI Model Integrity

Affected Assets

lunary
lunary
≤ 1.4.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306

Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.

addresses: CWE-306

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-306

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-306

Guarantees critical functions are protected by mandatory invocation of the access control mechanism.

addresses: CWE-306

Auditing sessions makes it possible to detect access to critical functions without required authentication.

addresses: CWE-306

The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.

addresses: CWE-306

Certification assesses that critical functions have required authentication controls in place.

addresses: CWE-306

Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.

References