CVE-2024-41888 — Missing Release of Resource after Effective Lifetime in Apache Incubator-answer

CWE-772 — Missing Release of Resource after Effective Lifetime5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

1.4%

top 19.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Apache Incubator-answer Apache Answer Apache Software Foundation Apache Answer

Timeline

PublishedAug 12

Latest updateAug 13

Description

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDapache/answer< 1.3.6

▶Gogithub.com/apache_incubator-answer< 1.3.6

▶CVEListV5apache_software_foundation/apache_answer1.3.5

🔴Vulnerability Details

OSV

Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer↗2024-08-13

▶

GHSA

Apache Answer: The link for resetting user password is not Single-Use↗2024-08-12

▶

OSV

Apache Answer: The link for resetting user password is not Single-Use↗2024-08-12

▶

CVEList

Apache Answer: The link for resetting user password is not Single-Use↗2024-08-09

▶