Unauthorized Dataset Deletion Vulnerability in API Endpoint
A critical vulnerability was identified in lunary-ai/lunary version 1.2.2, where the DELETE endpoint for datasets lacked proper authorization checks, allowing unauthorized deletion of datasets. This issue was patched in version 1.2.8.
Available publicly on May 20 2024 | Available with Premium on Apr 13 2024
Threat Overview
The vulnerability stems from the absence of authentication and authorization mechanisms on the DELETE endpoint for datasets within the application. As a result, any individual, regardless of their authentication status, could issue a DELETE request to remove a dataset. This flaw exposes all datasets to potential unauthorized deletion, posing a significant risk to data integrity and availability within the application.
Attack Scenario
An attacker, without needing to authenticate, can exploit this vulnerability by sending a specially crafted DELETE request to the vulnerable endpoint. By setting the environment variable DEFAULT_PLAN to unlimited, gaining UI access, and then creating a dataset, the attacker can subsequently send a DELETE request specifying the ID of the dataset they wish to remove. This action results in the deletion of the dataset without any verification of the requester's identity or permissions.
Who is affected
All users of the lunary-ai/lunary application version 1.2.2 are affected by this vulnerability, as any dataset they create or rely on within the application could be deleted by an unauthorized party.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.