CVE-2024-3761

CVSS V2 None CVSS V3 None

Description

In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service.

Overview

CVE ID
CVE-2024-3761

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-05-20T08:38:06.967Z

Last Modified Date
2024-06-06T19:41:51.786Z

Weakness Enumerations

CWE	URL
CWE-862	http://cwe.mitre.org/data/definitions/862.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/e95fb0a0-e54a-4da8-a33d-ba858d0cec55
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-3761
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3761

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 23:37:34				Added to TrackCVE