Miggo Logo
Miggo Vulnerability Database
CVE-2023-1540

CVE-2023-1540: Answer has Observable Response Discrepancy

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1540
GHSA ID
GHSA-6x5v-cxpp-pc5x
EPSS Score
0.25444%
CWE
CWE-203
Published
3/21/2023
Updated
3/23/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/answerdev/answergo< 1.0.61.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key functions: 1) The service layer's RetrievePassWord in user_service.go explicitly returned a UserNotFound error when an email didn't exist, creating a detectable difference in error responses. 2) The controller in user_controller.go passed this error to the client. The patch fixed this by making the service layer return nil error regardless of email existence and modifying the controller to handle the uniform response. The commit message confirms this was an intentional fix for response discrepancy.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*s*rv**l* R*spons* *is*r*p*n*y in *it*u* r*pository *nsw*r**v/*nsw*r prior to *.*.*.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *un*tions: *) T** s*rvi** l*y*r's R*tri*v*P*ssWor* in us*r_s*rvi**.*o *xpli*itly r*turn** * Us*rNot*oun* *rror w**n *n *m*il *i*n't *xist, *r**tin* * **t**t**l* *i***r*n** in *rror r*spons*s. *) T** *ontroll*r i