x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-48cr-j2cx-mcr8 #3158

GoVulnBot · 2024-09-25T15:01:14Z

Advisory GHSA-48cr-j2cx-mcr8 references a vulnerability in the following Go modules:

Module
github.com/apache/incubator-answer

Description:
Inadequate Encryption Strength vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.
Users are recommended to upgrade to version 1.4.0, which fixes the issue.

References:

ADVISORY: GHSA-48cr-j2cx-mcr8
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-40761
FIX: apache/answer@c3a1704
WEB: https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x

Cross references:

github.com/apache/incubator-answer appears in 7 other report(s):
- data/reports/GO-2024-2457.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-f899-4mr4-fqpv #2457)
- data/reports/GO-2024-2578.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-8pf2-qj4v-fj64 #2578)
- data/reports/GO-2024-2579.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-rmqp-mvv2-54c6 #2579)
- data/reports/GO-2024-2580.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-9q24-hwmc-797x #2580)
- data/reports/GO-2024-2743.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-cvqr-mwh6-2vc6 #2743)
- data/reports/GO-2024-3064.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-gvpv-r32v-9737 #3064)
- data/reports/GO-2024-3065.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-v3x9-wrq5-868j #3065)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/incubator-answer
      versions:
        - fixed: 1.4.0
      vulnerable_at: 1.4.0-RC1
summary: 'Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer'
cves:
    - CVE-2024-40761
ghsas:
    - GHSA-48cr-j2cx-mcr8
references:
    - advisory: https://github.com/advisories/GHSA-48cr-j2cx-mcr8
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-40761
    - fix: https://github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f
    - web: https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x
source:
    id: GHSA-48cr-j2cx-mcr8
    created: 2024-09-25T15:01:13.993256308Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2024-09-26T17:57:27Z

Change https://go.dev/cl/616059 mentions this issue: data/reports: add 13 unreviewed reports

gopherbot · 2024-09-26T18:17:15Z

Change https://go.dev/cl/616060 mentions this issue: data/reports: add 11 unreviewed reports

tatianab added the triaged label Sep 26, 2024

gopherbot closed this as completed in 48d6810 Sep 26, 2024

GoVulnBot mentioned this issue Nov 22, 2024

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-mr95-vfcf-fx9p #3287

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-48cr-j2cx-mcr8 #3158

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-48cr-j2cx-mcr8 #3158

GoVulnBot commented Sep 25, 2024

gopherbot commented Sep 26, 2024

gopherbot commented Sep 26, 2024

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-48cr-j2cx-mcr8 #3158

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-48cr-j2cx-mcr8 #3158

Comments

GoVulnBot commented Sep 25, 2024

gopherbot commented Sep 26, 2024

gopherbot commented Sep 26, 2024