Critical

lunary

Unauthorized Dataset Deletion Vulnerability in API Endpoint

A critical vulnerability was identified in lunary-ai/lunary version 1.2.2, where the DELETE endpoint for datasets lacked proper authorization checks, allowing unauthorized deletion of datasets. This issue was patched in version 1.2.8.

Available publicly on May 20 2024

9.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Credit:

thelicato
Threat Overview

The vulnerability stems from the absence of authentication and authorization mechanisms on the DELETE endpoint for datasets within the application. As a result, any individual, regardless of their authentication status, could issue a DELETE request to remove a dataset. This flaw exposes all datasets to potential unauthorized deletion, posing a significant risk to data integrity and availability within the application.

Attack Scenario

An attacker, without needing to authenticate, can exploit this vulnerability by sending a specially crafted DELETE request to the vulnerable endpoint. By setting the environment variable DEFAULT_PLAN to unlimited, gaining UI access, and then creating a dataset, the attacker can subsequently send a DELETE request specifying the ID of the dataset they wish to remove. This action results in the deletion of the dataset without any verification of the requester's identity or permissions.

Who is affected

All users of the lunary-ai/lunary application version 1.2.2 are affected by this vulnerability, as any dataset they create or rely on within the application could be deleted by an unauthorized party.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 624 related security advisories that are available with Sightline Premium.