What is the severity of CVE-2024-3502?

CVE-2024-3502 is classified as an information disclosure vulnerability, which can potentially expose sensitive user account recovery data.

How do I fix CVE-2024-3502?

To fix CVE-2024-3502, upgrade your lunary installation to version 1.2.6 or later.

Who is affected by CVE-2024-3502?

CVE-2024-3502 affects users of lunary-ai/lunary versions up to and including 1.2.5.

What type of vulnerability is CVE-2024-3502?

CVE-2024-3502 is an information disclosure vulnerability that allows unauthorized access to account recovery hashes.

When was CVE-2024-3502 disclosed?

CVE-2024-3502 was disclosed as a vulnerability in lunary-ai/lunary, affecting specific versions prior to the security fix.

Vulnerability/
CVE-2024-3502

critical

9.1

CWE

922

14/11/2024

30/1/2025

CVE-2024-3502: Exposure of Sensitive Information in lunary-ai/lunary

First published: Thu Nov 14 2024(Updated: )

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

Credit: security@huntr.dev

Affected Software	Affected Version	How to fix
lunary lunary	<1.2.6

Remedy

https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74

Remedy

https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-3502?
CVE-2024-3502 is classified as an information disclosure vulnerability, which can potentially expose sensitive user account recovery data.
How do I fix CVE-2024-3502?
To fix CVE-2024-3502, upgrade your lunary installation to version 1.2.6 or later.
Who is affected by CVE-2024-3502?
CVE-2024-3502 affects users of lunary-ai/lunary versions up to and including 1.2.5.
What type of vulnerability is CVE-2024-3502?
CVE-2024-3502 is an information disclosure vulnerability that allows unauthorized access to account recovery hashes.
When was CVE-2024-3502 disclosed?
CVE-2024-3502 was disclosed as a vulnerability in lunary-ai/lunary, affecting specific versions prior to the security fix.

agent/references
agent/title
agent/type
agent/description
agent/first-publish-date
agent/author
agent/event
agent/remedy
agent/severity
agent/weakness
agent/softwarecombine
agent/source
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/nvd-api
source/NVD
vendor/lunary

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.