Apache Answer: Repeated submissions using scripts resulted in an abnormal number of collections for questions.
Description
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.
This issue affects Apache Answer: through 1.2.0.
Under normal circumstances, a user can only bookmark a question once, and will only increase the number of questions bookmarked once. However, repeat submissions through the script can increase the number of collection of the question many times.
Users are recommended to upgrade to version [1.2.1], which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Apache Answer allows users to artificially inflate bookmark counts on questions via repeated script submissions.
Vulnerability
A race condition in Apache Answer's bookmark functionality allows concurrent requests to bypass the single-bookmark-per-user constraint, enabling attackers to artificially increase a question's bookmark count. This occurs due to improper synchronization when handling bookmark operations (CVE-2023-49619). [1]
Exploitation
An unauthenticated or authenticated user can send multiple concurrent bookmark requests using scripts. The lack of atomicity lets each request increment the counter, even though the system intends to allow only one bookmark per user. No special network position is required; the attack can be performed over the internet. [2]
Impact
An attacker can inflate the bookmark count of any question arbitrarily, misleading other users about the question's popularity. This manipulates community-driven metrics and could be used to promote or bury content. The vulnerability affects Apache Answer through version 1.2.0. [1][2]
Mitigation
The issue is fixed in Apache Answer version 1.2.1, released on 2024-01-10. Users should upgrade immediately. No workarounds are documented. [2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/apache/incubator-answerGo | < 1.2.1 | 1.2.1 |
Affected products
2- Apache Software Foundation/Apache Answerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f899-4mr4-fqpvghsaADVISORY
- lists.apache.org/thread/nscrl3c7pn68q4j73y3ottql6n5x3hd4ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-49619ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/01/10/1ghsaWEB
News mentions
0No linked articles in our index yet.