CVE-2024-3502

Published Nov 14, 2024

Last updated 2 days ago

CVSS critical 9.1

Overview

Description
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.
Source
security@huntr.dev
NVD status
Undergoing Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security@huntr.dev
CWE-200

Social media

Hype score
Not currently trending

  1. [CVE-2024-3502: CRITICAL] Critical vulnerability in lunary-ai/lunary (up to v1.2.5) leads to unauthorized exposure of account recovery hashes in endpoints `GET /v1/users/me` and `GET /v1/users/me/org`. Upgrade to ...#cybersecurity,#vulnerability https://t.co/MX2d6g2o9v https://t.

    @CveFindCom

    14 Nov 2024

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References