Password Aging with Long Expiration in answerdev/answer
Description
Password Aging with Long Expiration in GitHub repository answerdev/answer prior to 1.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Answer before 1.0.6 allows password aging with long expiration, potentially leaving accounts vulnerable to unauthorized access.
CVE-2023-1976 is a vulnerability in the Answer Q&A platform prior to version 1.0.6. The issue involves password aging with long expiration, meaning the software does not enforce a reasonable maximum password age, allowing passwords to remain valid indefinitely once set. This violates best practices for credential management.
The attack surface is straightforward: an account with a password set long ago may never be forced to change it. No special privileges or network position are required beyond normal user access. The vulnerability is inherent in the password aging configuration.
An attacker who obtains a user's password (e.g., through data breach or phishing) could maintain access indefinitely, as the password never expires. This increases the risk of account compromise and subsequent misuse.
The issue has been addressed in Answer version 1.0.6. Users are advised to upgrade to this version or later to enforce proper password aging policies [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/answerdev/answerGo | < 1.0.6 | 1.0.6 |
Affected products
2- answerdev/answerdev/answerv5Range: unspecified
Patches
12 files changed · +15 −0
internal/repo/captcha/captcha.go+8 −0 modified@@ -68,3 +68,11 @@ func (cr *captchaRepo) GetCaptcha(ctx context.Context, key string) (captcha stri } return captcha, nil } + +func (cr *captchaRepo) DelCaptcha(ctx context.Context, key string) (err error) { + err = cr.data.Cache.Del(ctx, key) + if err != nil { + log.Debug(err) + } + return nil +}
internal/service/action/captcha_service.go+7 −0 modified@@ -16,6 +16,7 @@ import ( type CaptchaRepo interface { SetCaptcha(ctx context.Context, key, captcha string) (err error) GetCaptcha(ctx context.Context, key string) (captcha string, err error) + DelCaptcha(ctx context.Context, key string) (err error) SetActionType(ctx context.Context, ip, actionType string, amount int) (err error) GetActionType(ctx context.Context, ip, actionType string) (amount int, err error) DelActionType(ctx context.Context, ip, actionType string) (err error) @@ -143,6 +144,12 @@ func (cs *CaptchaService) GenerateCaptcha(ctx context.Context) (key, captchaBase func (cs *CaptchaService) VerifyCaptcha(ctx context.Context, key, captcha string) (isCorrect bool, err error) { realCaptcha, err := cs.captchaRepo.GetCaptcha(ctx, key) if err != nil { + log.Error("VerifyCaptcha GetCaptcha Error", err.Error()) + return false, nil + } + err = cs.captchaRepo.DelCaptcha(ctx, key) + if err != nil { + log.Error("VerifyCaptcha DelCaptcha Error", err.Error()) return false, nil } return strings.TrimSpace(captcha) == realCaptcha, nil
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.