CVE-2024-5129 HIGH

CVE-2024-5129: Privilege Escalation Vulnerability in lunary-ai/lunary

Vendor Lunary-Ai
Product lunary-ai/lunary
Weakness CWE-862 · Missing authorization
Published June 6, 2024
Last update August 1, 2024

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE