CVE-2024-3761

HIGH

lunary < 1.2.8 - Unauthenticated Dataset Deletion via DELETE Endpoint

Title source: llm
STIX 2.1

Description

In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service.

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0047
EPSS Percentile 37.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
lunary/lunary < 1.2.8
Published May 20, 2024
Tracked Since Feb 18, 2026