Home > Vulnerability Database > CVE-2024-3502

Mend.io Vulnerability Database

CVE-2024-3502

Date: November 14, 2024

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from "GET /v1/users/me" and "GET /v1/users/me/org" endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

Language: TYPE_SCRIPT

Severity Score

9.1

Related Resources (4)

Url: https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94

Url: https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3502

Url: https://www.mend.io/vulnerability-database/CVE-2024-3502

Severity Score

9.1

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insertion of Sensitive Information Into Sent Data

CWE-201

Insecure Storage of Sensitive Information

CWE-922

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3502

Date: November 14, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?