An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.
Metrics
Affected Vendors & Products
References
History
Sun, 03 Nov 2024 17:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-863 |
Sun, 03 Nov 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Lunary-ai
Lunary-ai lunary |
|
CPEs | cpe:2.3:a:lunary-ai:lunary:*:*:*:*:*:*:*:* | |
Vendors & Products |
Lunary-ai
Lunary-ai lunary |
|
Metrics |
ssvc
|
Thu, 03 Oct 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Lunary
Lunary lunary |
|
Weaknesses | CWE-639 | |
CPEs | cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | |
Vendors & Products |
Lunary
Lunary lunary |
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-06-06T18:43:30.816Z
Updated: 2024-11-03T18:27:24.112Z
Reserved: 2024-05-19T17:58:52.061Z
Link: CVE-2024-5130
Vulnrichment
Updated: 2024-08-01T21:03:10.695Z
NVD
Status : Modified
Published: 2024-06-06T19:16:04.813
Modified: 2024-11-03T17:15:14.603
Link: CVE-2024-5130
Redhat
No data.