CVE-2024-3761
9.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at packages/backend/src/api/v1/datasets is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| lunary-ai | lunary-ai/lunary | unspecified < 1.2.8 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://huntr.com/bounties/e95fb0a0-e54a-4da8-a33d-ba858d0cec55
- https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776
References
- https://huntr.com/bounties/e95fb0a0-e54a-4da8-a33d-ba858d0cec55
- https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.