CVE-2024-3501

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74	Patch
https://huntr.com/bounties/8fdfdb9d-10bd-4f00-8004-d5baabc20c6e	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

30 Jan 2025, 13:15

Type	Values Removed	Values Added
CWE	~~CWE-200~~

Information

Published : 2024-11-14 18:15

Updated : 2025-01-30 13:15

NVD link : CVE-2024-3501

Mitre link : CVE-2024-3501

CVE.ORG link : CVE-2024-3501

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2024-3501", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-11-14T18:15:18.713", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/8fdfdb9d-10bd-4f00-8004-d5baabc20c6e", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-922"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated."}, {"lang": "es", "value": "En las versiones de lunary-ai/lunary hasta la 1.2.5 incluida, existe una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n debido a la inclusi\u00f3n de tokens de un solo uso en las respuestas de los endpoints de API `GET /v1/users/me` y `GET /v1/users/me/org`. Estos tokens, destinados a operaciones confidenciales como restablecimiento de contrase\u00f1as o verificaci\u00f3n de cuentas, est\u00e1n expuestos a actores no autorizados, lo que potencialmente les permite realizar acciones en nombre del usuario. Este problema se solucion\u00f3 en la versi\u00f3n 1.2.6, donde se mitig\u00f3 la exposici\u00f3n de tokens de un solo uso en consultas de cara al usuario."}], "lastModified": "2025-01-30T13:15:09.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6B2B02F-E37C-46A5-A76C-CB0132C8AF72", "versionEndExcluding": "1.2.6"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}