Miggo Logo
Miggo Vulnerability Database
CVE-2024-45719

CVE-2024-45719: Apache Answer: Predictable Authorization Token Using UUIDv1

2.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-45719
GHSA ID
GHSA-mr95-vfcf-fx9p
EPSS Score
0.1585%
CWE
CWE-326
Published
11/22/2024
Updated
11/27/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/apache/incubator-answergo< 1.4.11.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using UUIDv1 for authorization tokens. While exact code isn't available, the advisory explicitly states UUIDv1 usage. In Go implementations, UUIDv1 is typically generated via functions like uuid.NewUUID() from the github.com/google/uuid package. The confidence is high because: 1) UUIDv1 is the only UUID version explicitly called out as problematic 2) Authorization token generation is a core security mechanism 3) The fix would logically involve switching to UUIDv4 or cryptographic randomness.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In***qu*t* *n*ryption Str*n*t* vuln*r**ility in *p**** *nsw*r. T*is issu* *****ts *p**** *nsw*r: t*rou** *.*.*. T** i*s **n*r*t** usin* t** UUI* v* v*rsion *r* to som* *xt*nt not s**ur* *nou**. It **n **us* t** **n*r*t** tok*n to ** pr**i*t**l*. Us

Reasoning

T** vuln*r**ility st*ms *rom usin* UUI*v* *or *ut*oriz*tion tok*ns. W*il* *x**t *o** isn't *v*il**l*, t** **visory *xpli*itly st*t*s UUI*v* us***. In *o impl*m*nt*tions, UUI*v* is typi**lly **n*r*t** vi* *un*tions lik* `uui*.N*wUUI*()` *rom t** `*it*