An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.
References
Link | Resource |
---|---|
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 | Patch |
https://huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe | Exploit Issue Tracking Patch Third Party Advisory |
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 | Patch |
https://huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe | Exploit Issue Tracking Patch Third Party Advisory |
Configurations
History
21 Nov 2024, 09:47
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 - Patch | |
References | () https://huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe - Exploit, Issue Tracking, Patch, Third Party Advisory |
03 Nov 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
03 Oct 2024, 16:57
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | |
First Time |
Lunary
Lunary lunary |
|
CWE | CWE-639 | |
References | () https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 - Patch | |
References | () https://huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe - Exploit, Issue Tracking, Patch, Third Party Advisory |
07 Jun 2024, 14:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 19:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 19:16
Updated : 2024-11-21 09:47
NVD link : CVE-2024-5130
Mitre link : CVE-2024-5130
CVE.ORG link : CVE-2024-5130
JSON object : View
Products Affected
lunary
- lunary
CWE
CWE-639
Authorization Bypass Through User-Controlled Key