A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file.
Metrics
Affected Vendors & Products
References
History
Thu, 03 Oct 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Lunary
Lunary lunary |
|
CPEs | cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | |
Vendors & Products |
Lunary
Lunary lunary |
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-06-06T18:28:21.030Z
Updated: 2024-08-01T21:03:10.779Z
Reserved: 2024-05-19T17:53:42.474Z
Link: CVE-2024-5129
Vulnrichment
Updated: 2024-08-01T21:03:10.779Z
NVD
Status : Modified
Published: 2024-06-06T19:16:04.583
Modified: 2024-11-21T09:47:02.097
Link: CVE-2024-5129
Redhat
No data.