Cyber Resilience

CVE-2024-5277

HighPublic PoC

Published: 06 June 2024

Published
06 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5277 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Lunary Lunary. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AML.T0039.

EU & UK References

Vulnerability details

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account.…

more

The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Lunary-ai/lunary is an open-source LLM observability and evaluation platform for AI/ML applications, categorized under Other Platforms as it provides infrastructure for monitoring and managing AI deployments.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The password reset token reuse vulnerability enables exploitation of a public-facing application (T1190) for unauthorized account takeover, facilitating the abuse of valid accounts (T1078).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0039

Affected Assets

lunary
lunary
≤ 1.4.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-640

Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.

References