CVE-2024-3502

HIGH

lunary-ai/lunary <1.2.5 - Info Disclosure

Title source: llm

Description

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

References (2)

[Patch] https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74

[Issue Tracking, Patch, Third Party Advisory] https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94

Scores

CVSS v3 8.1

EPSS 0.0023

EPSS Percentile 45.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-201 CWE-922

Status published

Products (1)

lunary/lunary < 1.2.6

Published Nov 14, 2024

Tracked Since Feb 18, 2026