x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-mr95-vfcf-fx9p #3287

GoVulnBot · 2024-11-22T23:01:24Z

Advisory GHSA-mr95-vfcf-fx9p references a vulnerability in the following Go modules:

Module
github.com/apache/incubator-answer

Description:
Inadequate Encryption Strength vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.4.0.

The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable.
Users are recommended to upgrade to version 1.4.1, which fixes the issue.

References:

ADVISORY: GHSA-mr95-vfcf-fx9p
ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45719
WEB: http://www.openwall.com/lists/oss-security/2024/11/22/1
WEB: https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491

Cross references:

github.com/apache/incubator-answer appears in 8 other report(s):
- data/reports/GO-2024-2457.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-f899-4mr4-fqpv #2457)
- data/reports/GO-2024-2578.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-8pf2-qj4v-fj64 #2578)
- data/reports/GO-2024-2579.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-rmqp-mvv2-54c6 #2579)
- data/reports/GO-2024-2580.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-9q24-hwmc-797x #2580)
- data/reports/GO-2024-2743.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-cvqr-mwh6-2vc6 #2743)
- data/reports/GO-2024-3064.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-gvpv-r32v-9737 #3064)
- data/reports/GO-2024-3065.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-v3x9-wrq5-868j #3065)
- data/reports/GO-2024-3158.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-48cr-j2cx-mcr8 #3158)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/incubator-answer
      versions:
        - fixed: 1.4.1
      vulnerable_at: 1.4.1-RC2
summary: 'Apache Answer: Predictable Authorization Token Using UUIDv1 in github.com/apache/incubator-answer'
cves:
    - CVE-2024-45719
ghsas:
    - GHSA-mr95-vfcf-fx9p
references:
    - advisory: https://github.com/advisories/GHSA-mr95-vfcf-fx9p
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45719
    - web: http://www.openwall.com/lists/oss-security/2024/11/22/1
    - web: https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491
source:
    id: GHSA-mr95-vfcf-fx9p
    created: 2024-11-22T23:01:23.845660747Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-mr95-vfcf-fx9p #3287

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-mr95-vfcf-fx9p #3287

GoVulnBot commented Nov 22, 2024

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-mr95-vfcf-fx9p #3287

x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-mr95-vfcf-fx9p #3287

Comments

GoVulnBot commented Nov 22, 2024