CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses

September 25, 2024

Inadequate Encryption Strength vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

Using the MD5 value of a user’s email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

References

github.com/advisories/GHSA-48cr-j2cx-mcr8
github.com/apache/incubator-answer
github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260f
lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x
nvd.nist.gov/vuln/detail/CVE-2024-40761

Detect and mitigate CVE-2024-40761 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →