Unauthorized Dataset Deletion Vulnerability in lunary version 1.2.2
CVE-2024-5129
What is CVE-2024-5129?
A vulnerability has been identified in Lunary AI's Lunary product version 1.2.2 that facilitates privilege escalation. This issue resides within the dataset deletion feature, where the application inadequately verifies user permissions. As a result, any user can execute a DELETE request to the server without proper authorization, enabling them to erase any dataset by indicating its ID. The vulnerability lies in the datasets.delete function located in the datasets index file, which lacks essential checks for user permissions, potentially compromising data integrity and security.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
lunary-ai/lunary < 1.2.8
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved