Unauthorized Dataset Deletion Vulnerability in lunary-ai/lunary

CVE-2024-5130

7.5HIGH

Key Information

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 6 June 2024

Summary

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.

Affected Version(s)

lunary-ai/lunary < 1.2.8

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 7.5 - (HIGH)
Jun 6, 2024
Vulnerability published.
Jun 6, 2024
Vulnerability Reserved.
May 19, 2024

Collectors

NVD DatabaseMitre Database