CVE-2024-3761 – This vulnerability allows any user, including t... (How to Fix)

Q: What is the severity of CVE-2024-3761?

CVE-2024-3761 has a CVSS score of 7.5 (HIGH). This vulnerability allows any user, including those without authentication, to delete datasets in lunary-ai/lunary by sending a DELETE request to the vulnerable endpoint. It affects all users of version 1.2.2 who have the dataset deletion functionality exposed.

📋 TL;DR

This vulnerability allows any user, including those without authentication, to delete datasets in lunary-ai/lunary by sending a DELETE request to the vulnerable endpoint. It affects all users of version 1.2.2 who have the dataset deletion functionality exposed.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: Version 1.2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment with the dataset deletion endpoint accessible is vulnerable.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of all datasets, service disruption, and potential business impact from data destruction.

🟠

Likely Case

Unauthorized deletion of critical datasets leading to data loss and operational disruption.

🟢

If Mitigated

No impact if proper authentication and authorization controls are implemented.

🌐 Internet-Facing: HIGH - The vulnerability allows unauthenticated exploitation, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal users without proper permissions can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a simple HTTP DELETE request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.8

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776

Restart Required: Yes

Instructions:

1. Update lunary-ai/lunary to version 1.2.8 or later. 2. Restart the application. 3. Verify the fix by testing dataset deletion with proper authentication.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to the DELETE endpoint using network controls or web application firewall rules.

Authentication Middleware

all

Implement authentication checks before processing DELETE requests to the dataset endpoint.

🧯 If You Can't Patch

Implement network segmentation to restrict access to the vulnerable endpoint.
Deploy a web application firewall with rules to block unauthorized DELETE requests to the dataset endpoint.

🔍 How to Verify

Check if Vulnerable:

Send a DELETE request to /api/v1/datasets/{dataset_id} without authentication. If it succeeds, the system is vulnerable.

Check Version:

Check package.json or application version endpoint for lunary version.

Verify Fix Applied:

Attempt the same DELETE request without authentication. It should return a 401 or 403 error.

📡 Detection & Monitoring

Log Indicators:

Unauthorized DELETE requests to /api/v1/datasets/*
Dataset deletion events without associated user authentication logs

Network Indicators:

HTTP DELETE requests to dataset endpoints from unauthenticated sources

SIEM Query:

source=web_logs method=DELETE uri_path="/api/v1/datasets/*" AND NOT user_id=*

📊 Metadata

CVE ID: CVE-2024-3761

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-862

Published: May 20, 2024

Last Updated: January 10, 2025

🔗 References

https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 Patch
https://huntr.com/bounties/e95fb0a0-e54a-4da8-a33d-ba858d0cec55 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 Patch
https://huntr.com/bounties/e95fb0a0-e54a-4da8-a33d-ba858d0cec55 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3761, you might also want to check these: