CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79607%
CWE
Published
9/25/2024
Updated
9/25/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/apache/incubator-answer | go | < 1.4.0 | 1.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from using MD5 hashing for email addresses in Gravatar URLs. The commit diff shows: 1) Removal of 'md5' package from dependencies 2) Replacement of MD5(str) with sha256(str) in the profile component 3) Security advisory explicitly states MD5 usage was the vulnerability. The key vulnerable function is the MD5 hash generation in index.tsx that processes user emails before sending them to Gravatar.