Unauthorized Dataset Deletion Vulnerability in API Endpoint
A critical vulnerability was identified in lunary-ai/lunary version 1.2.2, where the DELETE endpoint for datasets lacked proper authorization checks, allowing unauthorized deletion of datasets. This issue was patched in version 1.2.8.
Available publicly on May 20 2024 | Available with Premium on Apr 13 2024
Remediation Steps
- Upgrade to version 1.2.8 of lunary-ai/lunary to patch the vulnerability.
- Implement proper authentication and authorization checks on all sensitive endpoints, especially those allowing data modification or deletion.
- Regularly review and audit code for security vulnerabilities, particularly focusing on authentication and authorization mechanisms.
- Consider implementing rate limiting and logging for sensitive operations to detect and mitigate potential abuse.
Patch Details
- Fixed Version: 1.2.8
- Patch Commit: https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.