ID CVE-2024-5130
Summary An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.
References
Vulnerable Configurations
  • cpe:2.3:a:lunary:lunary:-:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:-:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*
CVSS
Base: None
Impact:
Exploitability:
CWE CWE-639
CAPEC
Access
VectorComplexityAuthentication
Impact
ConfidentialityIntegrityAvailability
Last major update 03-11-2024 - 17:15
Published 06-06-2024 - 19:16
Last modified 03-11-2024 - 17:15
Back to Top