CVE-2024-3761

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions 1.2.2 through 1.2.7

Description The issue is related to the DELETE endpoint located at packages/backend/src/api/v1/datasets, which is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The impact of this issue is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service.

Recommendations For versions 1.2.2 through 1.2.7, update to version 1.2.8 to resolve the issue. As a temporary workaround, consider restricting access to the packages/backend/src/api/v1/datasets endpoint until the update is applied. Additionally, restricting the use of the DELETE request method on this endpoint can help minimize the risk of exploitation.