What is the severity of CVE-2024-6087?

CVE-2024-6087 is classified as a critical vulnerability due to its potential to allow unauthorized access to JWT tokens.

Who is affected by CVE-2024-6087?

CVE-2024-6087 affects users of the lunary package with versions below 1.4.9.

How do I fix CVE-2024-6087?

To remediate CVE-2024-6087, you should upgrade the lunary package to version 1.4.9 or later.

What type of vulnerability is CVE-2024-6087?

CVE-2024-6087 is an improper access control vulnerability.

How can CVE-2024-6087 be exploited?

An attacker can exploit CVE-2024-6087 by using auth tokens from the 'invite user' functionality to obtain valid JWT tokens.

Vulnerability/
CVE-2024-6087

medium

6.5

CWE

284

13/9/2024

18/11/2024

CVE-2024-6087: Improper Access Control in lunary-ai/lunary

First published: Fri Sep 13 2024(Updated: )

An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.

Credit: security@huntr.dev security@huntr.dev

Affected Software	Affected Version	How to fix
npm/lunary	<1.4.9	1.4.9
lunary lunary	<1.4.9

Remedy

https://github.com/lunary-ai/lunary/commit/844e8855c7a713dc7371766dba4125de4007b1cf

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-6087?
CVE-2024-6087 is classified as a critical vulnerability due to its potential to allow unauthorized access to JWT tokens.
Who is affected by CVE-2024-6087?
CVE-2024-6087 affects users of the lunary package with versions below 1.4.9.
How do I fix CVE-2024-6087?
To remediate CVE-2024-6087, you should upgrade the lunary package to version 1.4.9 or later.
What type of vulnerability is CVE-2024-6087?
CVE-2024-6087 is an improper access control vulnerability.
How can CVE-2024-6087 be exploited?
An attacker can exploit CVE-2024-6087 by using auth tokens from the 'invite user' functionality to obtain valid JWT tokens.

agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/references
agent/author
agent/description
collector/mitre-cve
source/MITRE
agent/remedy
agent/severity
agent/softwarecombine
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-6p2q-8qfq-wq7x
alias/CVE-2024-6087
agent/software-canonical-lookup
agent/last-modified-date
collector/github-advisory
agent/trending
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
package-manager/npm
vendor/lunary
canonical/lunary lunary

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.