CVE-2024-5277
Published: 06 June 2024
Summary
CVE-2024-5277 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Lunary Lunary. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 33.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AML.T0039.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46513
Vulnerability details
In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account.…
more
The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Lunary-ai/lunary is an open-source LLM observability and evaluation platform for AI/ML applications, categorized under Other Platforms as it provides infrastructure for monitoring and managing AI deployments.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The password reset token reuse vulnerability enables exploitation of a public-facing application (T1190) for unauthorized account takeover, facilitating the abuse of valid accounts (T1078).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.