Lucene search

@huntr_aiCVELIST:CVE-2024-5130

HistoryJun 06, 2024 - 6:43 p.m.

CVE-2024-5130 Incorrect Authorization in lunary-ai/lunary

2024-06-0618:43:30

CWE-863

@huntr_ai

www.cve.org

incorrect authorization

lunary-ai

dataset deletion

authentication

cve-2024-5130

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.

CNA Affected

[
  {
    "vendor": "lunary-ai",
    "product": "lunary-ai/lunary",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "1.2.8",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776

huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-5130