#VU96229 Missing Release of Resource after Effective Lifetime in Answer - CVE-2024-41890

Cybersecurity Help s.r.o.

Published: 2024-08-20

Vulnerability identifier: #VU96229

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-41890

CWE-ID: CWE-772

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Answer
Web applications / Other software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists within the password reset functionality, which does not invalidate the old password reset link after sending a new one. A remote attacker can generate multiple password reset requests and increase the chance of a successful token brute-force, leading to account takeover.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Answer: 0.2.0 - 1.3.5

External links
https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9
https://lists.apache.org/thread/55yd0xk5xnv08fv4wklgqgbfnrwvvj5p

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Answer