Privilege Escalation Vulnerability in Dataset Deletion
A Privilege Escalation Vulnerability in lunary-ai/lunary version 1.2.2 allows any user to delete any dataset. This issue was patched in version 1.2.8.
Available publicly on May 20 2024 | Available with Premium on May 19 2024
Threat Overview
The vulnerability arises from a lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint datasets.delete('/:id', async (ctx: Context) => {...})
directly deletes a dataset based on the ID provided in the URL without verifying if the requester has the appropriate permissions to perform this action. This oversight allows any authenticated or unauthenticated user to delete any dataset by simply knowing or guessing the dataset's ID.
Attack Scenario
An attacker, by exploiting this vulnerability, could send a DELETE request to the /v1/datasets/{dataset_id}
endpoint with the ID of the dataset they wish to delete. Since there are no checks for the user's permissions, the request would result in the deletion of the specified dataset, leading to potential data loss and disruption of service for legitimate users.
Who is affected
All users of lunary-ai/lunary version 1.2.2 are affected by this vulnerability, as any user could have their datasets deleted by an attacker. This includes both authenticated users who rely on the integrity and availability of their datasets and the administrators who maintain the application.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.