Unauthorized Dataset Deletion Vulnerability in lunary version 1.2.2
CVE-2024-5129

8.2HIGH

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 6 June 2024

What is CVE-2024-5129?

A vulnerability has been identified in Lunary AI's Lunary product version 1.2.2 that facilitates privilege escalation. This issue resides within the dataset deletion feature, where the application inadequately verifies user permissions. As a result, any user can execute a DELETE request to the server without proper authorization, enabling them to erase any dataset by indicating its ID. The vulnerability lies in the datasets.delete function located in the datasets index file, which lacks essential checks for user permissions, potentially compromising data integrity and security.

Affected Version(s)

lunary-ai/lunary < 1.2.8

References

https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207...

https://github.com/lunary-ai/lunary/commit/14078c1d2b8766...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
May 19, 2024

Lunary-ai

What is CVE-2024-5129?

Affected Version(s)

References

CVSS V3.1

Timeline