#VU96230 Missing Release of Resource after Effective Lifetime in Answer - CVE-2024-41888

Cybersecurity Help s.r.o.

Published: 2024-08-20

Vulnerability identifier: #VU96230

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-41888

CWE-ID: CWE-772

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Answer
Web applications / Other software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to take over another users' accounts.

The vulnerability exists within the password reset functionality, which does not invalidate the password reset link after it has been used to reset the password. A remote attacker can brute-force the password reset token and take over the victim's account even after the victim has successful reset their password.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Answer: 0.2.0 - 1.3.5

External links
https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4
https://lists.apache.org/thread/96qxo0v7vyrjrpo12y8n9h7chr8qfdo7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Apache Answer