CVE-2024-6087
📋 TL;DR
This vulnerability allows attackers to exploit the user invitation system in lunary-ai/lunary to obtain valid JWT tokens and perform account takeover. Attackers can invite target users, obtain one-time tokens, retract invites, then use those tokens to reset passwords and gain full control of accounts. All users of lunary-ai/lunary with the vulnerable code are affected.
💻 Affected Systems
- lunary-ai/lunary
📦 What is this software?
Lunary by Lunary
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, allowing attackers to access sensitive AI data, modify configurations, and potentially compromise entire organizations.
Likely Case
Targeted account compromise of specific users, leading to unauthorized access to AI projects, models, and organizational data.
If Mitigated
Failed authentication attempts logged, with no successful account compromise due to proper token validation and access controls.
🎯 Exploit Status
Exploit requires ability to invite users (typically authenticated access), but the attack chain is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 844e8855c7a713dc7371766dba4125de4007b1cf
Vendor Advisory: https://github.com/lunary-ai/lunary/commit/844e8855c7a713dc7371766dba4125de4007b1cf
Restart Required: Yes
Instructions:
1. Update to commit 844e8855c7a713dc7371766dba4125de4007b1cf or later. 2. Restart the lunary application. 3. Verify the fix by testing the invite/registration flow.
🔧 Temporary Workarounds
Disable user invitations
allTemporarily disable the 'invite user' functionality to prevent exploitation
Modify application configuration to disable user invitation features
Implement additional token validation
allAdd server-side validation to ensure invite tokens cannot be reused after invite retraction
Implement token revocation logic in authentication middleware
🧯 If You Can't Patch
- Implement rate limiting on password reset endpoints
- Enable multi-factor authentication for all user accounts
🔍 How to Verify
Check if Vulnerable:
Check if your lunary instance is using code prior to commit 844e8855c7a713dc7371766dba4125de4007b1cfCheck Version:
git log --oneline -1Verify Fix Applied:
Test the invite flow: 1. Invite a test user 2. Retract the invite 3. Attempt to use the token for password reset - should fail📡 Detection & Monitoring
Log Indicators:
- Multiple invite/retract cycles for same email
- Password reset attempts using expired invite tokens
- Unusual account registration patterns
Network Indicators:
- Rapid sequence of POST requests to /api/invite and /api/invite/retract endpoints
- Password reset requests following invite retractions
SIEM Query:
source="lunary-logs" AND (event="invite_retracted" AND event="password_reset" WITHIN 5m)