← Volver a CVEs
CVE-2024-5129
HIGH8.2
Descripcion
A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file.
Detalles CVE
Puntuacion CVSS v3.18.2
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado6/6/2024
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
lunary:lunary
Debilidades (CWE)
CWE-862CWE-862
Referencias
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776(security@huntr.dev)
https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44(security@huntr.dev)
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776(af854a3a-2127-422b-91ae-364da2661108)
https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.