Lucene search

[email protected]NVD:CVE-2024-3761

HistoryMay 20, 2024 - 9:15 a.m.

CVE-2024-3761

2024-05-2009:15:09

CWE-862

[email protected]

web.nvd.nist.gov

lunary

version 1.2.2

delete endpoint

unauthorized

dataset deletion

missing authorization

authentication

vulnerability

fixed

version 1.2.8

significant impact

data loss

disruption of service

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at packages/backend/src/api/v1/datasets is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service.

References

github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776

huntr.com/bounties/e95fb0a0-e54a-4da8-a33d-ba858d0cec55

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for NVD:CVE-2024-3761

cvelist1 osv1 cve1 vulnrichment1