In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.
History

Wed, 09 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Lunary
Lunary lunary
CPEs cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
Vendors & Products Lunary
Lunary lunary
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T17:46:06.653Z

Updated: 2024-08-01T21:11:12.415Z

Reserved: 2024-05-23T16:37:42.172Z

Link: CVE-2024-5277

cve-icon Vulnrichment

Updated: 2024-08-01T21:11:12.415Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T18:15:20.087

Modified: 2024-11-21T09:47:20.217

Link: CVE-2024-5277

cve-icon Redhat

No data.