x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-v3x9-wrq5-868j

[GoVulnBot]

Advisory GHSA-v3x9-wrq5-868j references a vulnerability in the following Go modules:

Module
github.com/apache/incubator-answer

Description:
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked.
Users are recommended to upgrade to version 1.3.6, which fixes the issue.

References:

• ADVISORY: GHSA-v3x9-wrq5-868j
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41888
• FIX: apache/incubator-answer@2820efc
• WEB: https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4

Cross references:

• github.com/apache/incubator-answer appears in 5 other report(s):
  • data/reports/GO-2024-2457.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-f899-4mr4-fqpv #2457)
  • data/reports/GO-2024-2578.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-8pf2-qj4v-fj64 #2578)
  • data/reports/GO-2024-2579.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-rmqp-mvv2-54c6 #2579)
  • data/reports/GO-2024-2580.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-9q24-hwmc-797x #2580)
  • data/reports/GO-2024-2743.yaml (x/vulndb: potential Go vuln in github.com/apache/incubator-answer: GHSA-cvqr-mwh6-2vc6 #2743)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/incubator-answer
      versions:
        - fixed: 1.3.6
      vulnerable_at: 1.3.6-RC1
summary: 'Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer'
cves:
    - CVE-2024-41888
ghsas:
    - GHSA-v3x9-wrq5-868j
references:
    - advisory: https://github.com/advisories/GHSA-v3x9-wrq5-868j
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41888
    - fix: https://github.com/apache/incubator-answer/commit/2820efc454f5808974dce0aa99aac106be3f727b
    - web: https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4
source:
    id: GHSA-v3x9-wrq5-868j
    created: 2024-08-12T19:01:14.167310545Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/605315 mentions this issue: data/reports: add 7 unreviewed reports