Sightline

Critical

lunary

IDOR Vulnerability in Dataset Management

An IDOR vulnerability was identified in the lunary-ai/lunary application, allowing unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation across all projects. This issue affected version 1.2.2 and was patched in version 1.2.25.

Available publicly on May 20 2024 | Available with Premium on May 19 2024

CVE:

CVE-2024-5128

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Credit:

fewword

Assess Detect

Premium

Remediate

Remediation Steps

Ensure proper access control checks are implemented before performing any data manipulation operations.
Update the application to version 1.2.25 or later, where the vulnerability has been patched.
Review and audit all data manipulation endpoints for similar vulnerabilities.
Implement logging and monitoring to detect potential abuse of data management functions.

Patch Details

Fixed Version: 1.2.25
Patch Commit: https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.