CVE-2024-10762
HIGHCVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4Description
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations.
Analysis
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical Context
This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations. Affected products include: Lunary. Version information: version 1.5.9.
Affected Products
Lunary.
Remediation
A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today