High

lunary

IDOR Vulnerability Allowing Unauthenticated Dataset Deletion

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in lunary-ai/lunary version 1.2.2, allowing unauthenticated users to delete any dataset. This issue was patched in version 1.2.8.

Available publicly on May 20 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Credit:

meme-dm
Threat Overview

The vulnerability stems from the lack of authorization checks when attempting to delete a dataset. Specifically, the application's endpoint for dataset deletion does not verify if the dataset ID provided in the request belongs to the authenticated user or even if the request is authenticated at all. This oversight allows an attacker to delete any dataset by simply knowing its ID.

Attack Scenario

An attacker first creates a user account on https://app.lunary.ai to understand the project's structure and obtain a valid dataset ID. Then, by crafting a DELETE request to the vulnerable endpoint without an Authorization header, the attacker can delete any dataset, regardless of ownership. This attack does not require the attacker to be authenticated, making it particularly severe.

Who is affected

All users of the lunary-ai/lunary application version 1.2.2 are affected by this vulnerability. Specifically, any user who has datasets stored within the application is at risk of having their data deleted by an unauthenticated attacker.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.