All the vulnerabilites related to Apache Software Foundation - Apache Answer
cve-2024-40761
Vulnerability from cvelistv5
Published
2024-09-25 07:31
Modified
2024-09-27 19:02
Severity ?
EPSS score ?
Summary
Apache Answer: Avatar URL leaked user email addresses
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "answer",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-40761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T15:20:39.711931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T15:22:37.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-27T19:02:34.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/2"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/25/8"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/26/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/27/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/27/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/27/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "\u5f20\u5cb3\u7199"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInadequate Encryption Strength vulnerability in Apache Answer.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Answer: through 1.3.5.\u003c/p\u003eUsing the MD5 value of a user\u0027s email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.4.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Inadequate Encryption Strength vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.3.5.\n\nUsing the MD5 value of a user\u0027s email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.\nUsers are recommended to upgrade to version 1.4.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T07:31:08.416Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: Avatar URL leaked user email addresses",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-40761",
"datePublished": "2024-09-25T07:31:08.416Z",
"dateReserved": "2024-07-10T07:49:21.665Z",
"dateUpdated": "2024-09-27T19:02:34.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41890
Vulnerability from cvelistv5
Published
2024-08-09 14:53
Modified
2024-08-09 15:35
Severity ?
EPSS score ?
Summary
Apache Answer: The link to reset the user's password will remain valid after sending a new link
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:54.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T15:35:39.103577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T15:35:46.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mohammad Reza Omrani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Release of Resource after Effective Lifetime vulnerability in Apache Answer.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Answer: through 1.3.5.\u003c/p\u003eUser sends multiple password reset emails, each containing a valid link. Within the link\u0027s validity period, this could potentially lead to the link being misused or hijacked.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.6, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.3.5.\n\nUser sends multiple password reset emails, each containing a valid link. Within the link\u0027s validity period, this could potentially lead to the link being misused or hijacked.\nUsers are recommended to upgrade to version 1.3.6, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:53:28.544Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: The link to reset the user\u0027s password will remain valid after sending a new link",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41890",
"datePublished": "2024-08-09T14:53:28.544Z",
"dateReserved": "2024-07-23T02:41:50.995Z",
"dateUpdated": "2024-08-09T15:35:46.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-41888
Vulnerability from cvelistv5
Published
2024-08-09 14:55
Modified
2024-08-09 15:17
Severity ?
EPSS score ?
Summary
Apache Answer: The link for resetting user password is not Single-Use
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-09T15:02:53.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/09/5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-09T15:16:50.390764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T15:17:00.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.3.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mohammad Reza Omrani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Release of Resource after Effective Lifetime vulnerability in Apache Answer.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Answer: through 1.3.5.\u003c/p\u003eThe password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.3.6, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.3.5.\n\nThe password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked.\nUsers are recommended to upgrade to version 1.3.6, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T14:55:14.493Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: The link for resetting user password is not Single-Use",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41888",
"datePublished": "2024-08-09T14:55:14.493Z",
"dateReserved": "2024-07-23T02:21:14.245Z",
"dateUpdated": "2024-08-09T15:17:00.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-26578
Vulnerability from cvelistv5
Published
2024-02-22 09:28
Modified
2024-08-02 00:07
Severity ?
EPSS score ?
Summary
Apache Answer: Repeated submission at registration created duplicate users with the same name
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T18:08:28.840287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:57.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/ko0ksnznt2484lxt0zts2ygr82ldkhcb"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/22/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mohammad Reza Omrani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Apache Answer.\u003cp\u003eThis issue affects Apache Answer: through 1.2.1.\u003c/p\u003eRepeated submission during registration resulted in the registration of the same user. When users register, if they rapidly submit multiple registrations using scripts, it can result in the creation of multiple user accounts simultaneously with the same name.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version [1.2.5], which fixes the issue.\u003c/p\u003e"
}
],
"value": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.\n\nRepeated submission during registration resulted in the registration of the same user. When users register, if they rapidly submit multiple registrations using scripts, it can result in the creation of multiple user accounts simultaneously with the same name.\nUsers are recommended to upgrade to version [1.2.5], which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-22T09:28:15.274Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/ko0ksnznt2484lxt0zts2ygr82ldkhcb"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/22/3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: Repeated submission at registration created duplicate users with the same name",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-26578",
"datePublished": "2024-02-22T09:28:15.274Z",
"dateReserved": "2024-02-19T07:28:17.523Z",
"dateUpdated": "2024-08-02T00:07:19.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-23349
Vulnerability from cvelistv5
Published
2024-02-22 09:48
Modified
2024-08-01 22:59
Severity ?
EPSS score ?
Summary
Apache Answer: XSS vulnerability when submitting summary
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:35:43.907714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:55.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.284Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/22/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Lyaa@JeeseenSec"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Answer.\u003cp\u003eThis issue affects Apache Answer: through 1.2.1.\u003c/p\u003eXSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are recommended to upgrade to version [1.2.5], which fixes the issue.\u003c/span\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.\n\nXSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.\n\nUsers are recommended to upgrade to version [1.2.5], which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-22T09:48:20.873Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/22/2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: XSS vulnerability when submitting summary",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-23349",
"datePublished": "2024-02-22T09:48:20.873Z",
"dateReserved": "2024-01-16T02:49:36.161Z",
"dateUpdated": "2024-08-01T22:59:32.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-22393
Vulnerability from cvelistv5
Published
2024-02-22 09:51
Modified
2024-08-01 22:43
Severity ?
EPSS score ?
Summary
Apache Answer: Pixel Flood Attack by uploading the large pixel file
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_answer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_answer",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-22393",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T18:20:22.601280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T18:23:19.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/f58l6dr4r74hl6o71gn47kmn44vw12cv"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/02/22/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mohammad Reza Omrani"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.\u003cp\u003eThis issue affects Apache Answer: through 1.2.1.\u003c/p\u003ePixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user\u0026nbsp;can cause such an attack by uploading an image when posting content.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version [1.2.5], which fixes the issue.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.\n\nPixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user\u00a0can cause such an attack by uploading an image when posting content.\nUsers are recommended to upgrade to version [1.2.5], which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-22T09:51:43.432Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/f58l6dr4r74hl6o71gn47kmn44vw12cv"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/02/22/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: Pixel Flood Attack by uploading the large pixel file",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-22393",
"datePublished": "2024-02-22T09:51:43.432Z",
"dateReserved": "2024-01-10T09:36:26.394Z",
"dateUpdated": "2024-08-01T22:43:34.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-29217
Vulnerability from cvelistv5
Published
2024-04-21 16:04
Modified
2024-08-02 01:10
Severity ?
EPSS score ?
Summary
Apache Answer: XSS vulnerability when changing personal website
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:answer:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "answer",
"vendor": "apache",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29217",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T18:53:48.378334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:57:20.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/nc0g1borr0d3wx25jm39pn7nyf268n0x"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/19/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Tsubasa Umeuchi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Answer.\u003cp\u003eThis issue affects Apache Answer: before 1.3.0.\u003c/p\u003eXSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version [1.3.0], which fixes the issue.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0.\n\nXSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack.\nUsers are recommended to upgrade to version [1.3.0], which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-21T16:04:10.514Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nc0g1borr0d3wx25jm39pn7nyf268n0x"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/19/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: XSS vulnerability when changing personal website",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29217",
"datePublished": "2024-04-21T16:04:10.514Z",
"dateReserved": "2024-03-19T01:49:13.387Z",
"dateUpdated": "2024-08-02T01:10:55.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-49619
Vulnerability from cvelistv5
Published
2024-01-10 08:25
Modified
2024-09-03 18:53
Severity ?
EPSS score ?
Summary
Apache Answer: Repeated submissions using scripts resulted in an abnormal number of collections for questions.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/nscrl3c7pn68q4j73y3ottql6n5x3hd4"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/01/10/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T18:52:54.771460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:53:14.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ek1ng"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Apache Answer.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eThis issue affects Apache Answer: through 1.2.0.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUnder normal circumstances, a user can only bookmark a question once, and will only increase the number of questions bookmarked once. However, repeat submissions through the script can increase the number of collection of the question many times.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are recommended to upgrade to version [\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e1.2.1\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e], which fixes the issue.\u003c/span\u003e"
}
],
"value": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.2.0.\n\nUnder normal circumstances, a user can only bookmark a question once, and will only increase the number of questions bookmarked once. However, repeat submissions through the script can increase the number of collection of the question many times.\n\nUsers are recommended to upgrade to version [1.2.1], which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-10T08:25:01.610Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/nscrl3c7pn68q4j73y3ottql6n5x3hd4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/01/10/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: Repeated submissions using scripts resulted in an abnormal number of collections for questions.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49619",
"datePublished": "2024-01-10T08:25:01.610Z",
"dateReserved": "2023-11-28T06:34:49.463Z",
"dateUpdated": "2024-09-03T18:53:14.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-45719
Vulnerability from cvelistv5
Published
2024-11-22 14:36
Modified
2024-11-22 20:18
Severity ?
EPSS score ?
Summary
Apache Answer: Predictable Authorization Token Using UUIDv1
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491 | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Answer |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-11-22T18:03:21.717Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/22/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-22T20:12:35.531395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T20:18:15.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Answer",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Chi Tran from Eevee"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInadequate Encryption Strength vulnerability in Apache Answer.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Answer: through 1.4.0.\u003c/p\u003eThe ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable.\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.4.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Inadequate Encryption Strength vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.4.0.\n\nThe ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable.\nUsers are recommended to upgrade to version 1.4.1, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-326",
"description": "CWE-326 Inadequate Encryption Strength",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-22T14:36:44.588Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Answer: Predictable Authorization Token Using UUIDv1",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45719",
"datePublished": "2024-11-22T14:36:44.588Z",
"dateReserved": "2024-09-05T08:29:10.968Z",
"dateUpdated": "2024-11-22T20:18:15.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}