Sightline

High

lunary

IDOR Vulnerability Allowing Unauthenticated Dataset Deletion

An Insecure Direct Object Reference (IDOR) vulnerability was discovered in lunary-ai/lunary version 1.2.2, allowing unauthenticated users to delete any dataset. This issue was patched in version 1.2.8.

Available publicly on May 20 2024 | Available with Premium on May 19 2024

CVE:

CVE-2024-5130

CWE:

863:Incorrect Authorization

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Credit:

meme-dm

Assess Detect

Premium

Remediate

Remediation Steps

Update to version 1.2.8 or later.
Implement proper authorization checks on all sensitive endpoints to ensure that the user is authenticated and authorized to perform the requested action.
Regularly audit your codebase for similar vulnerabilities, especially in parts of the application that handle user data or sensitive operations.
Consider implementing rate limiting and logging mechanisms to detect and mitigate abuse patterns.

Patch Details

Fixed Version: 1.2.8
Patch Commit: https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.