CVE-2024-5755 MEDIUM

CVE-2024-5755: Email Validation Bypass in lunary-ai/lunary

Vendor Lunary-Ai
Product lunary-ai/lunary
Weakness CWE-821
Published June 27, 2024
Last update August 1, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and 'attacker.123@gmail.com'), leading to incorrect synchronization and potential security issues.

Key dates

02Disclosure timeline

June 27, 2024 CVE published
August 1, 2024 Record updated