CVE-2024-5130
📋 TL;DR
This CVE describes an incorrect authorization vulnerability in lunary-ai/lunary that allows unauthenticated users to delete any dataset without proper authentication. The vulnerability exists because the dataset deletion endpoint fails to verify if the provided project ID belongs to the current user. All users running lunary versions up to and including 1.2.2 are affected.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Complete data loss through deletion of all datasets across all projects, potentially causing business disruption, data integrity issues, and loss of critical AI training data.
Likely Case
Targeted deletion of specific datasets by malicious actors, leading to data loss, service disruption, and potential compliance violations for affected organizations.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to authenticated users only.
🎯 Exploit Status
The vulnerability requires no authentication and minimal technical skill to exploit via HTTP requests to the deletion endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.8
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update lunary to version 1.2.8 or later using your package manager or deployment method. 3. Restart the lunary service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the lunary deletion endpoint to authenticated users only using firewall rules or web application firewall.
Authentication Enforcement
allImplement additional authentication layer or API gateway that requires authentication before reaching the vulnerable endpoint.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate lunary instances from untrusted networks
- Deploy a web application firewall with rules to block unauthenticated DELETE requests to dataset endpoints
🔍 How to Verify
Check if Vulnerable:
Check if lunary version is 1.2.2 or earlier by examining package version or deployment configuration.Check Version:
Check package.json or deployment manifest for version, or run: npm list lunary-ai/lunary (if installed via npm)Verify Fix Applied:
Verify lunary version is 1.2.8 or later and test that unauthenticated users cannot delete datasets.📡 Detection & Monitoring
Log Indicators:
- Unusual DELETE requests to dataset endpoints from unauthenticated IPs
- Multiple dataset deletion events in short timeframes
Network Indicators:
- HTTP DELETE requests to /api/datasets/* endpoints without authentication headers
SIEM Query:
source="lunary" AND (http_method="DELETE" AND uri_path="/api/datasets/*") AND NOT (auth_token EXISTS)