CVE-2024-5386: Password Reset Token Leak in lunary-ai/lunary Allows Account Hijacking

Critical Vulnerability Information Vulnerability Description Vulnerability Name: viewer role user can hijack other user account via password reset token leak in lunary-ai/lunary CVE: CVE-2024-5386 Vulnerability Type: CWE-1125: Excessive Attack Surface Severity: Critical (9.6) Vulnerability Details Affected Version: 1.2.2 Status: Fixed Discoverer: rangit-git (@rangit-git) Fixer: Hugues Chocart (@hughcart) Vulnerability Details Attack Vector: Network Complexity: Low Required Privileges: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None Vulnerability Bounty Disclosure Bounty: $900 Fix Bounty: $225 Vulnerability Reproduction Steps 1. Create an account named user-A. 2. Log in with user-A and add a user named user-B with the "viewer" role. 3. user-B logs into their account and accesses http://localhost.com:3333/team, where they can see user-A’s (admin) email address. 4. user-B, in a different browser, visits http://localhost.com:3333/request-password-reset and requests a password reset for user-A. user-A will receive the password reset link. 5. user-B sends a request to retrieve the above password reset token. Impact A user with viewer role can hijack another user’s account via password reset token leakage. Fix Notes Hugues Chocart fixed this vulnerability in version 1.2.14, with fix commit fc7ab34.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-5386: Password Reset Token Leak in lunary-ai/lunary Allows Account Hijacking