CVE-2024-5130

HIGH

lunary-ai/lunary <1.2.8 - Auth Bypass

Title source: llm

Description

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/e81a9871-308d-4628-9726-af66643a16fe

Scores

CVSS v3 7.5

EPSS 0.0030

EPSS Percentile 53.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862 CWE-639

Status published

Products (1)

lunary/lunary < 1.2.8

Published Jun 06, 2024

Tracked Since Feb 18, 2026