Back

CVE-2024-3761

May 20, 2024, 1 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

lunary-ai/lunary

  • 1.2.2
  • 1.2.8

Source

security@huntr.dev

Tags

CWE-862
security@huntr.dev
2024-05-20
CVE-2024-3761

CVE-2024-3761 details

Published : May 20, 2024, 9:15 a.m.
Last Modified : May 20, 2024, 1 p.m.

Description

In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service.

CVSS Score

1 2 3 4 5 6 7 8 9.1 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

9.1

Exploitability Score

Impact Score

Base Severity

CRITICAL

Vector String : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

URL Source
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 security@huntr.dev
https://huntr.com/bounties/e95fb0a0-e54a-4da8-a33d-ba858d0cec55 security@huntr.dev
This website uses the NVD API, but is not approved or certified by it.