Missing Release of Resource after Effective Lifetime in Answer - CVE-2024-41888

 

Missing Release of Resource after Effective Lifetime in Answer - CVE-2024-41888

Published: August 20, 2024


Vulnerability identifier: #VU96230
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-41888
CWE-ID: CWE-772
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Answer

Detailed vulnerability description

The vulnerability allows a remote attacker to take over another users' accounts.

The vulnerability exists within the password reset functionality, which does not invalidate the password reset link after it has been used to reset the password. A remote attacker can brute-force the password reset token and take over the victim's account even after the victim has successful reset their password.

How to mitigate CVE-2024-41888

Install updates from vendor's website.

Sources