SB2024082010 - Multiple vulnerabilities in Apache Answer

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2024-41888)

The vulnerability allows a remote attacker to take over another users' accounts.

The vulnerability exists within the password reset functionality, which does not invalidate the password reset link after it has been used to reset the password. A remote attacker can brute-force the password reset token and take over the victim's account even after the victim has successful reset their password.

2) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2024-41890)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists within the password reset functionality, which does not invalidate the old password reset link after sending a new one. A remote attacker can generate multiple password reset requests and increase the chance of a successful token brute-force, leading to account takeover.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4
• https://lists.apache.org/thread/96qxo0v7vyrjrpo12y8n9h7chr8qfdo7
• https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9
• https://lists.apache.org/thread/55yd0xk5xnv08fv4wklgqgbfnrwvvj5p