CVE-2024-5129

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.2

Description A Privilege Escalation issue exists due to missing authorization checks, allowing any user to delete datasets. The issue is present in the dataset deletion functionality, where the application fails to verify user permissions. Unauthorized users can exploit this by sending a DELETE request to the server and deleting any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file.

Recommendations For lunary-ai/lunary version 1.2.2, consider disabling the datasets.delete function until a patch is available to prevent unauthorized dataset deletion. Restrict access to the dataset deletion functionality to minimize the risk of exploitation. Avoid using the dataset ID in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.