How severe is CVE-2024-3502?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-3502?

This is classified as CWE-922, which is a common weakness in software security.

CVE-2024-3502 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

Related Vulnerabilities

CVE-2022-0724

CRITICAL

CVSS:9.1(Critical)

Insecure Storage of Sensitive Information in GitHub repository microweber/microweber prior to 1.3.

CWE-9222022

CVE-2024-10943

CRITICAL

CVSS:9.1(Critical)

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat...

CWE-9222024

CVE-2024-30896

CRITICAL

CVSS:9.1(Critical)

InfluxDB OSS 2.x through 2.7.11 stores the administrative operator token under the default organization which allows authorized users with read access to the authorization resource of the default orga...

CWE-9222024

CVE-2024-3501

CRITICAL

CVSS:9.1(Critical)

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/use...

CWE-9222024

CVE-2017-7253

HIGH

CVSS:8.8(High)

Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Use the default low-privilege credentials to list all users via a request to a certain URI. 2. Login to the IP camera with adm...

CWE-9222017

CVE-2023-42913

HIGH

CVSS:8.8(High)

This issue was addressed through improved state management. This issue is fixed in macOS Sonoma 14.2. Remote Login sessions may be able to obtain full disk access permissions.

CWE-9222023