Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00OGNyLWoyY3gtbWNyOM4AA_xB

Apache Answer: Avatar URL leaked user email addresses

Inadequate Encryption Strength vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.
Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Permalink: https://github.com/advisories/GHSA-48cr-j2cx-mcr8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00OGNyLWoyY3gtbWNyOM4AA_xB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 18 days ago
Updated: 18 days ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-48cr-j2cx-mcr8, CVE-2024-40761
References: Repository: https://github.com/apache/incubator-answer
Blast Radius: 1.0

Affected Packages

go:github.com/apache/incubator-answer
Dependent packages: 21
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.4.0
Fixed in: 1.4.0
All affected versions: 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.5
All unaffected versions: