CVE-2024-3501

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-3501
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3501.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-3501
Published
2024-11-14T18:15:18Z
Modified
2025-01-30T15:50:48.116132Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.

References

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type
GIT
Repo
https://github.com/lunary-ai/lunary
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.2.4

v0.*

v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.2.0
v0.2.1
v0.3.0
v0.3.1

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.5