CVE-2024-3502

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74	Patch
https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

30 Jan 2025, 13:15

Type	Values Removed	Values Added
CWE	~~CWE-200~~

Information

Published : 2024-11-14 18:15

Updated : 2025-01-30 13:15

NVD link : CVE-2024-3502

Mitre link : CVE-2024-3502

CVE.ORG link : CVE-2024-3502

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2024-3502", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-11-14T18:15:18.943", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-922"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6."}, {"lang": "es", "value": "En las versiones de lunary-ai/lunary hasta la 1.2.5 incluida, existe una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en la que los hashes de recuperaci\u00f3n de cuentas de los usuarios se exponen inadvertidamente a actores no autorizados. Este problema se produce cuando los usuarios autenticados inspeccionan las respuestas de los endpoints `GET /v1/users/me` y `GET /v1/users/me/org`. Los hashes de recuperaci\u00f3n de cuentas expuestos, si bien no est\u00e1n directamente relacionados con las contrase\u00f1as de los usuarios, representan informaci\u00f3n confidencial a la que no deber\u00edan tener acceso partes no autorizadas. La exposici\u00f3n de estos hashes podr\u00eda facilitar ataques de recuperaci\u00f3n de cuentas u otras actividades maliciosas. La vulnerabilidad se solucion\u00f3 en la versi\u00f3n 1.2.6."}], "lastModified": "2025-01-30T13:15:09.853", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6B2B02F-E37C-46A5-A76C-CB0132C8AF72", "versionEndExcluding": "1.2.6"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}