CVE-2024-5277

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.4

Description A vulnerability exists in the password recovery mechanism of lunary-ai/lunary, where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This could lead to unauthorized account access if an attacker obtains the recovery token.

Recommendations For lunary-ai/lunary version 1.2.4, consider disabling the password recovery mechanism until a patch is available to prevent the reuse of reset password tokens. Restrict access to the password recovery process to minimize the risk of exploitation. Avoid using the password recovery feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.