Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00OGNyLWoyY3gtbWNyOM4AA_xB
Apache Answer: Avatar URL leaked user email addresses
Inadequate Encryption Strength vulnerability in Apache Answer.
This issue affects Apache Answer: through 1.3.5.
Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.
Users are recommended to upgrade to version 1.4.0, which fixes the issue.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00OGNyLWoyY3gtbWNyOM4AA_xB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 27 days ago
Updated: 27 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-48cr-j2cx-mcr8, CVE-2024-40761
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-40761
- https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x
- https://github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f
- https://github.com/advisories/GHSA-48cr-j2cx-mcr8
Blast Radius: 1.0
Affected Packages
go:github.com/apache/incubator-answer
Dependent packages: 21Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.4.0
Fixed in: 1.4.0
All affected versions: 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.5
All unaffected versions: