CVE-2024-5389

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.2.13

Description: The issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.

Recommendations: For lunary-ai/lunary version 1.2.13, consider restricting access to dataset prompts and their variations to only authorized users within the same organization or project until a patch is available. As a temporary workaround, disable the functionality that allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. At the moment, there is no information about a newer version that contains a fix for this vulnerability.