Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-gvpv-r32v-9737 #3064

Closed
GoVulnBot opened this issue Aug 12, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-gvpv-r32v-9737 #3064

GoVulnBot opened this issue Aug 12, 2024 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-gvpv-r32v-9737 references a vulnerability in the following Go modules:

Module
github.com/apache/incubator-answer

Description:
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked.
Users are recommended to upgrade to version 1.3.6, which fixes the issue.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/incubator-answer
      versions:
        - fixed: 1.3.6
      vulnerable_at: 1.3.6-RC1
summary: |-
    Apache Answer: The link to reset the user's password will remain valid after
    sending a new link in github.com/apache/incubator-answer
cves:
    - CVE-2024-41890
ghsas:
    - GHSA-gvpv-r32v-9737
references:
    - advisory: https://github.com/advisories/GHSA-gvpv-r32v-9737
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41890
    - fix: https://github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b
    - web: https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9
source:
    id: GHSA-gvpv-r32v-9737
    created: 2024-08-12T19:01:13.604699685Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/605315 mentions this issue: data/reports: add 7 unreviewed reports

@GoVulnBot GoVulnBot mentioned this issue Sep 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot