GHSA-48cr-j2cx-mcr8

Опубликовано: 25 сент. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 5.3

Описание

Apache Answer: Avatar URL leaked user email addresses

Inadequate Encryption Strength vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Ссылки

Пакеты

Наименование

github.com/apache/incubator-answer

Затронутые версииВерсия исправления

< 1.4.0

1.4.0

EPSS

Процентиль: 69%

0.00595

Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2024-40761

Дефекты

CWE-326

Связанные уязвимости

CVE-2024-40761

CVSS3: 5.3

nvd

больше 1 года назад

Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

EPSS

Процентиль: 69%

0.00595

Низкий

6.9 Medium

CVSS4

5.3 Medium

CVSS3

CVE ID

CVE-2024-40761

Дефекты

CWE-326