High severityNVD Advisory· Published Mar 21, 2023· Updated Feb 26, 2025

Insufficient Session Expiration in answerdev/answer

CVE-2023-1543

Description

Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-1543: Insufficient session expiration in Answer prior to 1.0.6 allows unauthorized access through stale admin session data.

Vulnerability

Overview

The vulnerability is an insufficient session expiration issue in the Answer Q&A platform (prior to version 1.0.6). The root cause is that the logout functionality fails to clear the admin user's session cache from the system's internal storage. Specifically, the UserLogout method in the user controller was missing a call to remove the admin-specific cache entry (RemoveAdminUserCacheInfo), causing the stale session data to remain valid after logout [1][3].

Attack

Vector

To exploit this, an attacker would need to either gain access to a shared system where an administrative user had previously logged in, or obtain a leaked session token. Since the admin cache is not cleared upon logout, an attacker could reuse the old session token to maintain authenticated access as the admin, bypassing the intended logout mechanism. No additional authentication or network privileges are required beyond possessing the stale token [3][4].

Impact

Successful exploitation allows an attacker with a stale admin session token to perform actions with full administrative privileges, including accessing sensitive data, modifying system configurations, or performing other high-privilege operations on the Q&A platform. This completely undermines the session security model, as logout does not effectively revoke the session [1][4].

Mitigation

The issue was fixed in commit cd742b75605c99776f32d271c0a60e0f468e181c, which adds the missing RemoveAdminUserCacheInfo call to the logout path. Users are advised to upgrade to Answer version 1.0.6 or later to ensure that admin sessions are properly invalidated upon logout [3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/answerdev/answerGo	< 1.0.6	1.0.6

Affected products

ghsa-coords
pkg:golang/github.com/answerdev/answer
Range: < 1.0.6
answerdev/answerdev/answerv5
Range: unspecified

Patches

cd742b75605c

fix(user): Remove admin cache when user logout.

https://github.com/answerdev/answerLinkinStarsMar 1, 2023via ghsa

commit

1 file changed · +1 −0

internal/controller/user_controller.go+1 −0 modified

@@ -203,6 +203,7 @@ func (uc *UserController) UserLogout(ctx *gin.Context) {
 		return
 	}
 	_ = uc.authService.RemoveUserCacheInfo(ctx, accessToken)
+	_ = uc.authService.RemoveAdminUserCacheInfo(ctx, accessToken)
 	handler.HandleResponse(ctx, nil, nil)
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-79hx-g43v-xfmrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1543ghsaADVISORY
github.com/answerdev/answer/commit/cd742b75605c99776f32d271c0a60e0f468e181cghsaWEB
huntr.dev/bounties/f82388d6-dfc3-4fbc-bea6-eb40cf5b2683ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000