Multiple vulnerabilities in Apache Answer

Published: 2024-08-20

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-41888 CVE-2024-41890
CWE-ID	CWE-772
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Answer Web applications / Other software
Vendor	Apache Foundation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Missing Release of Resource after Effective Lifetime

EUVDB-ID: #VU96230

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-41888

CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to take over another users' accounts.

The vulnerability exists within the password reset functionality, which does not invalidate the password reset link after it has been used to reset the password. A remote attacker can brute-force the password reset token and take over the victim's account even after the victim has successful reset their password.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Answer: 0.2.0 - 1.3.5

CPE2.3

External links

https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4
https://lists.apache.org/thread/96qxo0v7vyrjrpo12y8n9h7chr8qfdo7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing Release of Resource after Effective Lifetime

EUVDB-ID: #VU96229