CVE-2024-5130: Incorrect Authorization in lunary-ai/lunary
First published: Thu Jun 06 2024(Updated: )
An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Lunary Lunary | <1.2.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/softwarecombine
- agent/remedy
- agent/tags
- agent/last-modified-date
- agent/weakness
- vendor/lunary
- canonical/lunary lunary