Lucene search

GitHub Advisory DatabaseGHSA-48CR-J2CX-MCR8

HistorySep 25, 2024 - 9:30 a.m.

Apache Answer: Avatar URL leaked user email addresses

2024-09-2509:30:46

CWE-326

GitHub Advisory Database

github.com

apache answer

avatar url

md5

gravatar

sha256

email leakage

encryption strength

upgrade

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

9.6%

JSON

Inadequate Encryption Strength vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

Using the MD5 value of a user’s email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.
Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Affected configurations

Vulners

Node

apacheanswerRange<1.4.0

VendorProductVersionCPE
apacheanswer*cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	answer	*	cpe:2.3:a:apache:answer::::::::

References

github.com/advisories/GHSA-48cr-j2cx-mcr8

github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f

lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x

nvd.nist.gov/vuln/detail/CVE-2024-40761

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

Percentile

9.6%

JSON

Related for GHSA-48CR-J2CX-MCR8