CVE-2024-10272
Broken Access Control in lunary-ai/lunary
In short
A flaw in Lunary allows attackers to view private datasets without logging in or having permission. An attacker can simply request dataset information and see data they shouldn't access.
Technical detail
Broken access control on the /v1/datasets GET endpoint fails to validate authorization tokens, allowing unauthenticated requests to retrieve sensitive dataset contents. The vulnerability requires only network access to the endpoint; no pre-authentication or special conditions are needed.
Summary generated and translated by AI from the official description.
lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
lunary-ai · lunary-ai/lunaryWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →