CVE-2024-40761 – github.com/apache/incubator-answer

Package

Manager: go
Name: github.com/apache/incubator-answer
Vulnerable Version: >=0 <1.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green

EPSS: 0.01381 pctl0.79551

Details

Apache Answer: Avatar URL leaked user email addresses Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Metadata

Created: 2024-09-25T09:30:46Z
Modified: 2025-07-11T15:04:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-48cr-j2cx-mcr8/GHSA-48cr-j2cx-mcr8.json
CWE IDs: ["CWE-326"]
Alternative ID: GHSA-48cr-j2cx-mcr8
Finding: F052
Auto approve: 1