Critical

lunary

IDOR Vulnerability in Dataset Management

An IDOR vulnerability was identified in the lunary-ai/lunary application, allowing unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation across all projects. This issue affected version 1.2.2 and was patched in version 1.2.25.

Available publicly on May 20 2024

9.4

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Credit:

fewword
Threat Overview

The vulnerability stems from improper access control mechanisms within the application's dataset management functions. Specifically, the application fails to adequately verify the user's permissions before allowing operations on dataset prompts and their variations. This oversight means that any authenticated user could potentially manipulate or remove data they should not have access to, leading to data integrity and confidentiality issues.

Attack Scenario

An attacker, after gaining authenticated access to the application, could exploit this vulnerability by crafting malicious DELETE requests targeting specific dataset_prompt or dataset_prompt_variation IDs. By manipulating the request parameters, the attacker could delete or alter dataset entries without proper authorization, potentially leading to loss of critical data or unauthorized data modification.

Who is affected

Any user or data within the lunary-ai/lunary application that relies on the integrity and confidentiality of dataset prompts and their variations is at risk due to this vulnerability. This includes project managers, data scientists, and other stakeholders who depend on accurate and secure dataset management.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.