VYPR
← All advisories
Low severityNVD Advisory· Published May 9, 2023· Updated Jan 28, 2025

Missing Authorization in answerdev/answer

CVE-2023-2590

Description

Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Answer prior to 1.0.9 lacks authorization checks for the 'rank.answer.accept' configuration, allowing users to undeservedly gain privilege by accepting answers.

CVE-2023-2590 is a missing authorization vulnerability in the Answer Q&A platform (formerly answerdev/answer), affecting versions prior to 1.0.9. The root cause lies in the default value for the configuration key rank.answer.accept, which was set to 1 instead of -1. This misconfiguration effectively granted positive rank points to any user who accepted an answer, regardless of whether they had the necessary permissions [1][2].

Exploitation of this vulnerability does not require authentication as a privileged user; any authenticated user could repeatedly accept answers to artificially inflate their rank. The attack surface is the answer acceptance feature, which is a core functionality of the Q&A platform. The fix, introduced in commit 51ac1e6b76ae9ab3ca2008ca4819c0cc3bd2fcd3, changes the default value from 1 to -1 and includes a database migration to correct existing misconfigured entries [2].

An attacker could exploit this to gain unearned reputation or privileges that are tied to user rank in the Answer platform. This could lead to actions such as increased moderation capabilities, access to restricted features, or a false sense of authority within the community.

The vulnerability is patched in Answer version 1.0.9. Users running earlier versions should update immediately. The project is now under the Apache Software Foundation as Apache Answer [3]. No workarounds have been published, and the vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2023-2590
  2. fix(rank): update answer accept rank config · apache/answer@51ac1e6
  3. GitHub - apache/answer: A Q&A platform software for teams at any scales. Whether it's a community forum, help center, or knowledge management platform, you can always count on Apache Answer.

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/answerdev/answerGo
< 1.0.91.0.9

Affected products

2

Patches

1
51ac1e6b76ae

fix(rank): update answer accept rank config

https://github.com/answerdev/answerLinkinStarsApr 21, 2023via ghsa
commit
4 files changed · +21 2
  • internal/migrations/init.go+1 1 modified
    @@ -270,7 +270,7 @@ func initConfigTable(engine *xorm.Engine) error {
 		{ID: 41, Key: "rank.answer.add", Value: `1`},
 		{ID: 42, Key: "rank.answer.edit", Value: `200`},
 		{ID: 43, Key: "rank.answer.delete", Value: `-1`},
-		{ID: 44, Key: "rank.answer.accept", Value: `1`},
+		{ID: 44, Key: "rank.answer.accept", Value: `-1`},
 		{ID: 45, Key: "rank.answer.vote_up", Value: `15`},
 		{ID: 46, Key: "rank.answer.vote_down", Value: `125`},
 		{ID: 47, Key: "rank.comment.add", Value: `1`},
  • internal/migrations/migrations.go+1 0 modified
    @@ -57,6 +57,7 @@ var migrations = []Migration{
 	NewMigration("add theme and private mode", addThemeAndPrivateMode, true),
 	NewMigration("add new answer notification", addNewAnswerNotification, true),
 	NewMigration("add user pin hide features", addRolePinAndHideFeatures, true),
+	NewMigration("update accept answer rank", updateAcceptAnswerRank, true),
 }
 
 // GetCurrentDBVersion returns the current db version
  • internal/migrations/v3.go+1 1 modified
    @@ -110,7 +110,7 @@ ON "question" (
 		{ID: 41, Key: "rank.answer.add", Value: `1`},
 		{ID: 42, Key: "rank.answer.edit", Value: `200`},
 		{ID: 43, Key: "rank.answer.delete", Value: `-1`},
-		{ID: 44, Key: "rank.answer.accept", Value: `1`},
+		{ID: 44, Key: "rank.answer.accept", Value: `-1`},
 		{ID: 45, Key: "rank.answer.vote_up", Value: `15`},
 		{ID: 46, Key: "rank.answer.vote_down", Value: `125`},
 		{ID: 47, Key: "rank.comment.add", Value: `1`},
  • internal/migrations/v9.go+18 0 added
    @@ -0,0 +1,18 @@
+package migrations
+
+import (
+	"fmt"
+
+	"github.com/answerdev/answer/internal/entity"
+	"github.com/segmentfault/pacman/log"
+	"xorm.io/xorm"
+)
+
+func updateAcceptAnswerRank(x *xorm.Engine) error {
+	c := &entity.Config{ID: 44, Key: "rank.answer.accept", Value: `-1`}
+	if _, err := x.Update(c, &entity.Config{ID: 44, Key: "rank.answer.accept"}); err != nil {
+		log.Errorf("update %+v config failed: %s", c, err)
+		return fmt.Errorf("update config failed: %w", err)
+	}
+	return nil
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.