CVE-2024-3502
Last modified
CVE-2024-3502 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | < 1.2.6 |
References
- https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-3502?
How severe is CVE-2024-3502?
How do I fix CVE-2024-3502?
Are you affected by CVE-2024-3502?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST