High Severity

lunary

IDOR Vulnerability Allowing Unauthenticated Dataset Deletion

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in lunary-ai/lunary version 1.2.2, allowing unauthenticated users to delete any dataset. This issue was patched in version 1.2.8.

Available publicly on May 20 2024

7.5

CVE:

CVE-2024-5130

CWE:

863:Incorrect Authorization

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Credit:

meme-dm
AssessDetect

Premium

Remediate
Remediation Steps
  • Update to version 1.2.8 or later.
  • Implement proper authorization checks on all sensitive endpoints to ensure that the user is authenticated and authorized to perform the requested action.
  • Regularly audit your codebase for similar vulnerabilities, especially in parts of the application that handle user data or sensitive operations.
  • Consider implementing rate limiting and logging mechanisms to detect and mitigate abuse patterns.
Patch Details
  • Fixed Version: 1.2.8
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon