Unauthorized Dataset Deletion Vulnerability in lunary-ai/lunary
CVE-2024-5130

7.5HIGH

Key Information:

Vendor

Lunary-ai

Status
Lunary-ai/lunary
Vendor
CVE Published:
6 June 2024

What is CVE-2024-5130?

A vulnerability in Lunary AI's dataset deletion endpoint allows unauthenticated users to delete any dataset due to insufficient authorization checks. The flaw arises because the system fails to validate if the project ID associated with the dataset belongs to the currently authenticated user. This oversight permits unauthorized deletion of datasets, creating potential risks for data security and integrity. The issue has been rectified in Lunary AI version 1.2.8, ensuring proper authorization checks are in place to secure user data against unauthorized access.

Affected Version(s)

lunary-ai/lunary < 1.2.8

References

https://huntr.com/bounties/e81a9871-308d-4628-9726-af6664...
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.