CVE-2024-5328 – This SSRF vulnerability in lunary-ai/lunary all... (How to Fix)

Q: What is the severity of CVE-2024-5328?

CVE-2024-5328 has a CVSS score of 9.3 (CRITICAL). This SSRF vulnerability in lunary-ai/lunary allows attackers to make unauthorized server-side requests to internal or external resources by exploiting an unvalidated URL parameter in the SAML authentication endpoint. Attackers could access sensitive internal systems, exfiltrate data, or disrupt services. All users running the affected application are vulnerable.

📋 TL;DR

This SSRF vulnerability in lunary-ai/lunary allows attackers to make unauthorized server-side requests to internal or external resources by exploiting an unvalidated URL parameter in the SAML authentication endpoint. Attackers could access sensitive internal systems, exfiltrate data, or disrupt services. All users running the affected application are vulnerable.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: All versions up to and including the latest as of the report

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when SAML authentication is enabled and the affected endpoint is accessible.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources, sensitive data exfiltration, and lateral movement to critical systems via internal service exploitation.

🟠

Likely Case

Unauthorized access to internal metadata services (like AWS/Azure instance metadata), internal API endpoints, or file disclosure from internal servers.

🟢

If Mitigated

Limited to external resource scanning or denial-of-service against external targets if internal network access is restricted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required. No authentication needed to access the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor the lunary-ai/lunary repository for security updates.

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML authentication to remove the vulnerable endpoint

Modify application configuration to disable SAML authentication

Network Access Control

all

Restrict access to the vulnerable endpoint using web application firewall or network controls

Add WAF rule to block requests to '/auth/saml/tto/download-idp-xml' with URL parameters
Implement IP whitelisting for the endpoint

🧯 If You Can't Patch

Implement strict outbound network filtering to prevent the application from accessing internal resources
Deploy the application in a segmented network zone with limited access to sensitive internal systems

🔍 How to Verify

Check if Vulnerable:

Test by sending a request to '/auth/saml/tto/download-idp-xml' with a URL parameter pointing to an internal service and checking if the request succeeds

Check Version:

Check the application version in the lunary configuration or package.json file

Verify Fix Applied:

Verify that URL validation is implemented and requests to internal resources are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual requests to '/auth/saml/tto/download-idp-xml' with URL parameters
Outbound connections from the application to internal IP ranges or unusual external domains

Network Indicators:

HTTP traffic from the application server to internal services not normally accessed
Unusual port scanning activity originating from the application server

SIEM Query:

source="web_server" AND uri="/auth/saml/tto/download-idp-xml" AND url_parameter="*"

📊 Metadata

CVE ID: CVE-2024-5328

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-918

Published: June 6, 2024

Last Updated: November 21, 2024

🔗 References

https://huntr.com/bounties/80b09757-d9a0-44d1-932f-2461fc8fec69 Exploit,Issue Tracking,Technical Description
https://huntr.com/bounties/80b09757-d9a0-44d1-932f-2461fc8fec69 Exploit,Issue Tracking,Technical Description

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5328, you might also want to check these: