Sightline

High

lunary

Privilege Escalation Vulnerability in Dataset Deletion

A Privilege Escalation Vulnerability in lunary-ai/lunary version 1.2.2 allows any user to delete any dataset. This issue was patched in version 1.2.8.

Available publicly on May 20 2024 | Available with Premium on May 19 2024

CVE:

CVE-2024-5129

CWE:

862:Missing Authorization

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Credit:

fewword

Assess Detect

Premium

Remediate

Remediation Steps

Upgrade to lunary-ai/lunary version 1.2.8 or later.
Implement authorization checks on all sensitive endpoints to ensure that only users with the correct permissions can perform actions.
Regularly audit your codebase for similar vulnerabilities.
Consider implementing rate limiting and logging to detect and mitigate abuse patterns.

Patch Details

Fixed Version: 1.2.8
Patch Commit: https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.