1. Home
  2. CVE Database
  3. CVE-2024-5277
HIGH · 7.5

CVE-2024-5277

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the re...

Vulnerability Description

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
LunaryLunary< 1.4.9

Related Weaknesses (CWE)

CWE-640

References

FAQ

What is CVE-2024-5277?

CVE-2024-5277 is a vulnerability with a CVSS score of 7.5 (HIGH). In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the re...

How severe is CVE-2024-5277?

CVE-2024-5277 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-5277?

Check the references section above for vendor advisories and patch information. Affected products include: Lunary Lunary.