IDOR Vulnerability Allowing Unauthenticated Dataset Deletion
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in lunary-ai/lunary version 1.2.2, allowing unauthenticated users to delete any dataset. This issue was patched in version 1.2.8.
Available publicly on May 20 2024 | Available with Premium on May 19 2024
Threat Overview
The vulnerability stems from the lack of authorization checks when attempting to delete a dataset. Specifically, the application's endpoint for dataset deletion does not verify if the dataset ID provided in the request belongs to the authenticated user or even if the request is authenticated at all. This oversight allows an attacker to delete any dataset by simply knowing its ID.
Attack Scenario
An attacker first creates a user account on https://app.lunary.ai to understand the project's structure and obtain a valid dataset ID. Then, by crafting a DELETE request to the vulnerable endpoint without an Authorization header, the attacker can delete any dataset, regardless of ownership. This attack does not require the attacker to be authenticated, making it particularly severe.
Who is affected
All users of the lunary-ai/lunary application version 1.2.2 are affected by this vulnerability. Specifically, any user who has datasets stored within the application is at risk of having their data deleted by an unauthenticated attacker.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.