VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 21, 2023· Updated Feb 27, 2025

Observable Timing Discrepancy in answerdev/answer

CVE-2023-1538

Description

Observable Timing Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-1538 is an observable timing discrepancy in answerdev/answer prior to 1.0.6 that could allow enumeration attacks.

CVE-2023-1538 is an observable timing discrepancy vulnerability in the answerdev/answer Q&A platform prior to version 1.0.6. The issue resides in the CAPTCHA verification logic, where the VerifyCaptcha function fails to delete the stored CAPTCHA after a failed verification attempt and returns differing error messages based on whether the CAPTCHA exists or is incorrect. This timing and response difference allows an attacker to infer whether a given key corresponds to a valid, pending CAPTCHA.

An attacker can exploit this by sending repeated CAPTCHA verification requests with the same key and different candidate CAPTCHA values. When the key is valid, the system first retrieves the stored CAPTCHA and then compares it, producing a distinct time and error pattern compared to when the key is invalid or expired. The official fix, introduced in commit 813ad0b [3], ensures the CAPTCHA is deleted after each verification attempt and logs errors consistently, eliminating the observable discrepancy.

The impact of this vulnerability is primarily information disclosure — an attacker could enumerate valid CAPTCHA keys, potentially bypassing the CAPTCHA protection. This could facilitate automated account creation, spam posting, or other abuse that the CAPTCHA was meant to prevent. The vulnerability does not directly lead to privilege escalation or remote code execution, but it undermines a security control.

Answer version 1.0.6, released on 2023-03-21, includes the patch for this issue [1]. Users running prior versions are advised to upgrade immediately. No workarounds have been published, and the vulnerability is not known to be exploited in the wild at the time of disclosure. The fix is available in the project's GitHub repository [2].

References
  1. NVD - CVE-2023-1538
  2. GitHub - apache/answer: A Q&A platform software for teams at any scales. Whether it's a community forum, help center, or knowledge management platform, you can always count on Apache Answer.
  3. update VerifyCaptcha · apache/answer@813ad0b

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/answerdev/answerGo
< 1.0.61.0.6

Affected products

2

Patches

1
813ad0b98946

update VerifyCaptcha

https://github.com/answerdev/answeraichy126Feb 24, 2023via ghsa
commit
2 files changed · +15 0
  • internal/repo/captcha/captcha.go+8 0 modified
    @@ -68,3 +68,11 @@ func (cr *captchaRepo) GetCaptcha(ctx context.Context, key string) (captcha stri
 	}
 	return captcha, nil
 }
+
+func (cr *captchaRepo) DelCaptcha(ctx context.Context, key string) (err error) {
+	err = cr.data.Cache.Del(ctx, key)
+	if err != nil {
+		log.Debug(err)
+	}
+	return nil
+}
  • internal/service/action/captcha_service.go+7 0 modified
    @@ -16,6 +16,7 @@ import (
 type CaptchaRepo interface {
 	SetCaptcha(ctx context.Context, key, captcha string) (err error)
 	GetCaptcha(ctx context.Context, key string) (captcha string, err error)
+	DelCaptcha(ctx context.Context, key string) (err error)
 	SetActionType(ctx context.Context, ip, actionType string, amount int) (err error)
 	GetActionType(ctx context.Context, ip, actionType string) (amount int, err error)
 	DelActionType(ctx context.Context, ip, actionType string) (err error)
@@ -143,6 +144,12 @@ func (cs *CaptchaService) GenerateCaptcha(ctx context.Context) (key, captchaBase
 func (cs *CaptchaService) VerifyCaptcha(ctx context.Context, key, captcha string) (isCorrect bool, err error) {
 	realCaptcha, err := cs.captchaRepo.GetCaptcha(ctx, key)
 	if err != nil {
+		log.Error("VerifyCaptcha GetCaptcha Error", err.Error())
+		return false, nil
+	}
+	err = cs.captchaRepo.DelCaptcha(ctx, key)
+	if err != nil {
+		log.Error("VerifyCaptcha DelCaptcha Error", err.Error())
 		return false, nil
 	}
 	return strings.TrimSpace(captcha) == realCaptcha, nil

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.