An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-06-06T18:43:30.816Z
Updated: 2024-06-06T19:37:08.959Z
Reserved: 2024-05-19T17:58:52.061Z
Link: CVE-2024-5130
JSON object: View
NVD Information
Status : Awaiting Analysis
Published: 2024-06-06T19:16:04.813
Modified: 2024-06-07T14:56:05.647
Link: CVE-2024-5130
JSON object: View
Redhat Information
No data.
CWE