CVE-2024-41888: Apache Answer: The link for resetting user password is not Single-Use

August 12, 2024 (updated March 13, 2025)

Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue.

References

github.com/advisories/GHSA-v3x9-wrq5-868j
github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b
lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4
nvd.nist.gov/vuln/detail/CVE-2024-41888

Code Behaviors & Features

Detect and mitigate CVE-2024-41888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →