CVE-2024-5130 is an Incorrect Authorization vulnerability classified under CWE-862 affecting the lunary-ai/lunary software up to version 1.2.2. The vulnerability exists because the dataset deletion API endpoint fails to perform proper authorization checks to confirm that the project ID provided in the deletion request belongs to the authenticated user. In fact, the endpoint does not require any authentication, allowing unauthenticated attackers to delete any dataset by specifying arbitrary project IDs. This results in a direct integrity violation, as datasets can be maliciously or accidentally deleted by unauthorized parties. The vulnerability does not impact confidentiality or availability directly but compromises data integrity severely. The issue was addressed and fixed in version 1.2.8 by implementing proper authorization checks to ensure that only authorized users can delete datasets associated with their projects. The CVSS v3.0 base score is 7.5, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. No known exploits are reported in the wild as of the publication date. This vulnerability poses a significant risk to organizations relying on lunary-ai/lunary for managing datasets, especially in environments where data integrity is critical.

For European organizations, this vulnerability poses a significant risk to the integrity of datasets managed within lunary-ai/lunary environments. Unauthorized deletion of datasets can lead to loss of critical AI training data, research data, or business intelligence, potentially disrupting AI workflows and causing operational setbacks. Organizations in sectors such as finance, healthcare, research, and manufacturing that utilize AI-driven data analysis could face data sabotage or accidental data loss, impacting decision-making and compliance with data governance policies. Since the vulnerability requires no authentication or user interaction, attackers can remotely exploit it over the network, increasing the risk of widespread abuse. While confidentiality and availability are not directly impacted, the integrity loss can indirectly affect availability if datasets are essential for ongoing operations. The lack of known exploits in the wild suggests limited current exploitation but does not diminish the urgency for patching, especially given the ease of exploitation. European organizations must prioritize patching to prevent potential data integrity attacks that could have regulatory and reputational consequences.

The primary mitigation is to upgrade lunary-ai/lunary to version 1.2.8 or later, where the authorization checks have been properly implemented. Organizations should immediately inventory their deployments to identify affected versions and apply the update. In addition to patching, organizations should implement strict access controls and monitoring around dataset management APIs to detect and prevent unauthorized deletion attempts. Employing network segmentation and firewall rules to restrict access to the lunary-ai management interfaces can reduce exposure. Logging and alerting on dataset deletion events should be enabled to provide early detection of suspicious activity. Conducting regular audits of dataset ownership and permissions can help identify anomalies. Finally, organizations should consider implementing backup and recovery procedures for datasets to mitigate the impact of any unauthorized deletions that may occur before patching.