CVE-2024-3760

In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset emails. This not only overwhelms the victim's mailbox, making it difficult to manage and locate legitimate emails, but also significantly impacts mail servers by consuming their resources. The increased load can cause performance degradation and, in severe cases, make the mail servers unresponsive or unavailable, disrupting email services for the entire organization.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/29374bb10020712009c1ec238affe098112a51d6	Patch
https://huntr.com/bounties/c29e9f36-8261-463d-8862-7f4fdcc8eddc	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-11-14 19:15

Updated : 2024-11-18 22:02

NVD link : CVE-2024-3760

Mitre link : CVE-2024-3760

CVE.ORG link : CVE-2024-3760

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-3760", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-11-14T19:15:06.327", "references": [{"url": "https://github.com/lunary-ai/lunary/commit/29374bb10020712009c1ec238affe098112a51d6", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/c29e9f36-8261-463d-8862-7f4fdcc8eddc", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset emails. This not only overwhelms the victim's mailbox, making it difficult to manage and locate legitimate emails, but also significantly impacts mail servers by consuming their resources. The increased load can cause performance degradation and, in severe cases, make the mail servers unresponsive or unavailable, disrupting email services for the entire organization."}, {"lang": "es", "value": "En la versi\u00f3n 1.2.7 de lunary-ai/lunary, no existe un l\u00edmite de velocidad en la p\u00e1gina de contrase\u00f1a olvidada, lo que genera una vulnerabilidad de bombardeo de correo electr\u00f3nico. Los atacantes pueden aprovechar esto automatizando las solicitudes de contrase\u00f1a olvidada para inundar las cuentas de usuario objetivo con un gran volumen de correos electr\u00f3nicos de restablecimiento de contrase\u00f1a. Esto no solo sobrecarga el buz\u00f3n de la v\u00edctima, lo que dificulta la administraci\u00f3n y la ubicaci\u00f3n de correos electr\u00f3nicos leg\u00edtimos, sino que tambi\u00e9n afecta significativamente a los servidores de correo al consumir sus recursos. El aumento de la carga puede causar una degradaci\u00f3n del rendimiento y, en casos graves, hacer que los servidores de correo no respondan o no est\u00e9n disponibles, lo que interrumpe los servicios de correo electr\u00f3nico para toda la organizaci\u00f3n."}], "lastModified": "2024-11-18T22:02:15.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "861B7DD6-6AAA-48C1-94F7-687729B042B6", "versionEndExcluding": "1.2.8"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}