{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5129", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-05-19T17:53:42.474Z", "datePublished": "2024-06-06T18:28:21.030Z", "dateUpdated": "2024-08-01T21:03:10.779Z"}, "containers": {"cna": {"title": "Privilege Escalation Vulnerability in lunary-ai/lunary", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:28:21.030Z"}, "descriptions": [{"lang": "en", "value": "A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file."}], "affected": [{"vendor": "lunary-ai", "product": "lunary-ai/lunary", "versions": [{"version": "unspecified", "lessThan": "1.2.8", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44"}, {"url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862"}]}], "source": {"advisory": "a6c0deb3-6a4c-4188-8aaa-9e6207f82f44", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "lunary-ai", "product": "lunary", "cpes": ["cpe:2.3:a:lunary-ai:lunary:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.2.8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T15:13:14.009700Z", "id": "CVE-2024-5129", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T15:13:22.112Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:10.779Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44", "tags": ["x_transferred"]}, {"url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44", "tags": ["x_transferred"]}, {"url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:03:10.779Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5129", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T15:13:14.009700Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:lunary-ai:lunary:*:*:*:*:*:*:*:*"], "vendor": "lunary-ai", "product": "lunary", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.8", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T14:59:59.889Z"}}], "cna": {"title": "Privilege Escalation Vulnerability in lunary-ai/lunary", "source": {"advisory": "a6c0deb3-6a4c-4188-8aaa-9e6207f82f44", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "lunary-ai", "product": "lunary-ai/lunary", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.2.8", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44"}, {"url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776"}], "descriptions": [{"lang": "en", "value": "A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:28:21.030Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5129", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:03:10.779Z", "dateReserved": "2024-05-19T17:53:42.474Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T18:28:21.030Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "matchCriteriaId": "861B7DD6-6AAA-48C1-94F7-687729B042B6", "versionEndExcluding": "1.2.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file."}, {"lang": "es", "value": "Existe una vulnerabilidad de escalada de privilegios en lunary-ai/lunary versi\u00f3n 1.2.2, donde cualquier usuario puede eliminar cualquier conjunto de datos debido a que faltan verificaciones de autorizaci\u00f3n. La vulnerabilidad est\u00e1 presente en la funcionalidad de eliminaci\u00f3n del conjunto de datos, donde la aplicaci\u00f3n no puede verificar si el usuario que solicita la eliminaci\u00f3n tiene los permisos adecuados. Esto permite a usuarios no autorizados enviar una solicitud DELETE al servidor y eliminar cualquier conjunto de datos especificando su ID. El problema se encuentra en la funci\u00f3n datasets.delete dentro del archivo de \u00edndice de conjuntos de datos."}], "id": "CVE-2024-5129", "lastModified": "2024-11-21T09:47:02.097", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T19:16:04.583", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@huntr.dev", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}