CVE-2024-3761

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-3761
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-3761.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-3761
Published
2024-05-20T09:15:09Z
Modified
2025-01-10T15:49:43.173873Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at packages/backend/src/api/v1/datasets is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to data loss or disruption of service.

References

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type
GIT
Repo
https://github.com/lunary-ai/lunary
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

1.*

1.2.4

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.2.0
v0.2.1
v0.3.0
v0.3.1

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.5
v1.2.6
v1.2.7