Critical Severity

lunary

Unauthorized Dataset Deletion Vulnerability in API Endpoint

A critical vulnerability was identified in lunary-ai/lunary version 1.2.2, where the DELETE endpoint for datasets lacked proper authorization checks, allowing unauthorized deletion of datasets. This issue was patched in version 1.2.8.

Available publicly on May 20 2024

9.1

CVE:

CVE-2024-3761

CWE:

862:Missing Authorization

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Credit:

thelicato
AssessDetect

Premium

Remediate
Remediation Steps
  • Upgrade to version 1.2.8 of lunary-ai/lunary to patch the vulnerability.
  • Implement proper authentication and authorization checks on all sensitive endpoints, especially those allowing data modification or deletion.
  • Regularly review and audit code for security vulnerabilities, particularly focusing on authentication and authorization mechanisms.
  • Consider implementing rate limiting and logging for sensitive operations to detect and mitigate potential abuse.
Patch Details
  • Fixed Version: 1.2.8
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon