3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49619

GHSA ID

GHSA-f899-4mr4-fqpv

EPSS Score

0.75741%

CWE

CWE-362

Published

1/10/2024

Updated

1/19/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-49619

CVE-2023-49619:
Apache Answer Race Condition vulnerability

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.2.0.

Under normal circumstances, a user can only bookmark a question once, and will only increase the number of questions bookmarked once. However, repeat submissions through the script can increase the number of collection of the question many times.

Users are recommended to upgrade to version [1.2.1], which fixes the issue.

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49619

GHSA ID

GHSA-f899-4mr4-fqpv

EPSS Score

0.75741%

CWE

CWE-362

Published

1/10/2024

Updated

1/19/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/apache/incubator-answer	go	< 1.2.1	1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper synchronization in bookmark handling. Two key functions are implicated: 1) The bookmark creation function (likely AddBookmark) that fails to atomically check-and-insert bookmarks, allowing concurrent duplicate entries. 2) The counter update function (likely UpdateQuestionBookmarkCount) that increments without proper transaction isolation. The pattern matches classic TOCTOU vulnerabilities where non-atomic check-then-act operations are vulnerable to race conditions between the existence check and write operation. The high confidence comes from the vulnerability description explicitly mentioning bookmark count manipulation through concurrent submissions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*urr*nt *x**ution usin* S**r** R*sour** wit* Improp*r Syn**roniz*tion ('R*** *on*ition') vuln*r**ility in *p**** *nsw*r. T*is issu* *****ts *p**** *nsw*r: t*rou** *.*.*. Un**r norm*l *ir*umst*n**s, * us*r **n only *ookm*rk * qu*stion on**, *n* w

Reasoning

T** vuln*r**ility st*ms *rom improp*r syn**roniz*tion in *ookm*rk **n*lin*. Two k*y *un*tions *r* impli**t**: *) T** *ookm*rk *r**tion *un*tion (lik*ly `****ookm*rk`) t**t **ils to *tomi**lly ****k-*n*-ins*rt *ookm*rks, *llowin* *on*urr*nt *upli**t*

3.1

Basic Information

Concerned about an active attack path?

CVE-2023-49619: Apache Answer Race Condition vulnerability

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-49619:
Apache Answer Race Condition vulnerability

Vulnerability Intelligence
Miggo AI