CVE-2024-5128

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions up to and including 1.2.2

Description An Insecure Direct Object Reference (IDOR) vulnerability was identified, allowing unauthorized users to view, update, or delete any dataset prompt or dataset prompt variation within any dataset or project. The issue stems from improper access control checks in the dataset management endpoints, where direct references to object IDs are not adequately secured against unauthorized access.

Recommendations For versions up to and including 1.2.2, upgrade to version 1.2.25 to resolve the issue. As a temporary workaround, consider restricting access to the dataset management endpoints to minimize the risk of exploitation.