CVE-2024-1625

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 0.3.0

Description An Insecure Direct Object Reference (IDOR) vulnerability exists, allowing unauthorized deletion of any organization's project. The issue is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project ID. This issue affects the project deletion functionality implemented in the "projects.delete" route.

Recommendations For version 0.3.0, consider disabling the project deletion functionality in the "projects.delete" route until a patch is available. Restrict access to the project deletion endpoint to minimize the risk of exploitation. Avoid using the project ID in the affected endpoint until the issue is resolved.