Miggo Logo
Miggo Vulnerability Database
CVE-2024-40761

CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-40761
GHSA ID
GHSA-48cr-j2cx-mcr8
EPSS Score
0.79607%
CWE
CWE-326
Published
9/25/2024
Updated
9/25/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/apache/incubator-answergo< 1.4.01.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using MD5 hashing for email addresses in Gravatar URLs. The commit diff shows: 1) Removal of 'md5' package from dependencies 2) Replacement of MD5(str) with sha256(str) in the profile component 3) Security advisory explicitly states MD5 usage was the vulnerability. The key vulnerable function is the MD5 hash generation in index.tsx that processes user emails before sending them to Gravatar.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In***qu*t* *n*ryption Str*n*t* vuln*r**ility in *p**** *nsw*r. T*is issu* *****ts *p**** *nsw*r: t*rou** *.*.*. Usin* t** M** v*lu* o* * us*r's *m*il to ****ss *r*v*t*r is ins**ur* *n* **n l*** to t** l**k*** o* us*r *m*il. T** o**i*i*l r**omm*n**t

Reasoning

T** vuln*r**ility st*ms *rom usin* M** **s*in* *or *m*il ***r*ss*s in *r*v*t*r URLs. T** *ommit *i** s*ows: *) R*mov*l o* 'm**' p**k*** *rom **p*n**n*i*s *) R*pl***m*nt o* M**(str) wit* s*****(str) in t** pro*il* *ompon*nt *) S**urity **visory *xpli*