Moderate severityNVD Advisory· Published Sep 25, 2024· Updated Sep 27, 2024

Apache Answer: Avatar URL leaked user email addresses

CVE-2024-40761

Description

Inadequate Encryption Strength vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.3.5.

Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Answer through 1.3.5 uses MD5 to hash user emails for Gravatar URLs, enabling email leakage via rainbow tables.

Vulnerability

Description

CVE-2024-40761 is an inadequate encryption strength vulnerability in Apache Answer up to version 1.3.5. The software uses the MD5 hash of a user's email address to construct Gravatar avatar URLs. MD5 is a weak, fast hash that is susceptible to precomputed rainbow table attacks, allowing an attacker to reverse the hash and recover the original email address.[1][2]

Exploitation

An attacker who observes a user's Gravatar URL (e.g., in an HTML page source or API response) can extract the MD5 hash segment. Because MD5 is cryptographically broken and widely used in rainbow tables, it is computationally trivial to reverse the hash and obtain the user's email. The attack requires no special privileges—only access to the public avatar URL produced by the application. The official Gravatar documentation recommends using SHA256 instead to increase the cost of reversing hashes.[3][4]

Impact

Successful exploitation leads to the leakage of user email addresses, which are sensitive personally identifiable information (PII). Email addresses can be used for targeted phishing, spam, or other social engineering attacks. The vulnerability exposes users' emails to anyone who can access the public avatar URL, violating privacy expectations.

Mitigation

The Apache Answer project patched this issue in version 1.4.0 by switching from MD5 to SHA256 for email hashing. Users are strongly recommended to upgrade to version 1.4.0 or later. No workaround other than the upgrade has been provided.[2]

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/apache/incubator-answerGo	< 1.4.0	1.4.0

Affected products

ghsa-coords
pkg:golang/github.com/apache/incubator-answer
Range: < 1.4.0
Apache Software Foundation/Apache Answerv5
Range: 0

Patches

c3a17046c6c3

fix: gavatar use sha256 for hash

https://github.com/apache/incubator-answershuaiAug 6, 2024via ghsa

commit

3 files changed · +10 −26

ui/package.json+1 −1 modified

@@ -31,9 +31,9 @@
     "diff": "^5.1.0",
     "front-matter": "^4.0.2",
     "i18next": "^21.9.0",
+    "js-sha256": "0.11.0",
     "lodash": "^4.17.21",
     "marked": "^4.0.19",
-    "md5": "^2.3.0",
     "next-share": "^0.18.1",
     "qrcode": "^1.5.1",
     "qs": "^6.11.0",

ui/pnpm-lock.yaml+7 −23 modified

@@ -53,15 +53,15 @@ importers:
       i18next:
         specifier: ^21.9.0
         version: 21.9.2
+      js-sha256:
+        specifier: 0.11.0
+        version: 0.11.0
       lodash:
         specifier: ^4.17.21
         version: 4.17.21
       marked:
         specifier: ^4.0.19
         version: 4.1.0
-      md5:
-        specifier: ^2.3.0
-        version: 2.3.0
       next-share:
         specifier: ^0.18.1
         version: 0.18.1(react-dom@18.2.0)(react-scripts@5.0.1)(react@18.2.0)
@@ -4642,10 +4642,6 @@ packages:
     resolution: {integrity: sha512-oSvEeo6ZUD7NepqAat3RqoucZ5SeqLJgOvVIwkafu6IP3V0pO38s/ypdVUmDDK6qIIHNlYHJAKX9E7R7HoKElw==}
     engines: {node: '>=12.20'}
 
-  /charenc@0.0.2:
-    resolution: {integrity: sha512-yrLQ/yVUFXkzg7EDQsPieE/53+0RlaWTs+wBrvW36cyilJ2SaDWfl4Yj7MtLTXleV9uEKefbAGUPv2/iWSooRA==}
-    dev: false
-
   /check-types@11.1.2:
     resolution: {integrity: sha512-tzWzvgePgLORb9/3a0YenggReLKAIb2owL03H2Xdoe5pKcUyWRSEQ8xfCar8t2SIAuEDwtmx2da1YB52YuHQMQ==}
 
@@ -4977,10 +4973,6 @@ packages:
       shebang-command: 2.0.0
       which: 2.0.2
 
-  /crypt@0.0.2:
-    resolution: {integrity: sha512-mCxBlsHFYh9C+HVpiEacem8FEBnMXgU9gy4zmNC+SXAZNB/1idgp/aulFJ4FgCi7GPEVbfyng092GqL2k2rmow==}
-    dev: false
-
   /crypto-random-string@2.0.0:
     resolution: {integrity: sha512-v1plID3y9r/lPhviJ1wrXpLeyUIGAZ2SHNYTEapm7/8A9nLPoyvVp3RK/EPFqn5kEznyWgYZNsRtYYIWbuG8KA==}
     engines: {node: '>=8'}
@@ -7207,10 +7199,6 @@ packages:
       call-bind: 1.0.5
       has-tostringtag: 1.0.0
 
-  /is-buffer@1.1.6:
-    resolution: {integrity: sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==}
-    dev: false
-
   /is-callable@1.2.6:
     resolution: {integrity: sha512-krO72EO2NptOGAX2KYyqbP9vYMlNAXdB53rq6f8LXY6RY7JdSR/3BD6wLUlPHSAesmY9vstNrjvqGaCiRK/91Q==}
     engines: {node: '>= 0.4'}
@@ -8017,6 +8005,10 @@ packages:
       - ts-node
       - utf-8-validate
 
+  /js-sha256@0.11.0:
+    resolution: {integrity: sha512-6xNlKayMZvds9h1Y1VWc0fQHQ82BxTXizWPEtEeGvmOUYpBRy4gbWroHLpzowe6xiQhHpelCQiE7HEdznyBL9Q==}
+    dev: false
+
   /js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
@@ -8362,14 +8354,6 @@ packages:
     hasBin: true
     dev: false
 
-  /md5@2.3.0:
-    resolution: {integrity: sha512-T1GITYmFaKuO91vxyoQMFETst+O71VUPEU3ze5GNzDm0OWdP8v1ziTaAEPUr/3kLsY3Sftgz242A1SetQiDL7g==}
-    dependencies:
-      charenc: 0.0.2
-      crypt: 0.0.2
-      is-buffer: 1.1.6
-    dev: false
-
   /mdn-data@2.0.14:
     resolution: {integrity: sha512-dn6wd0uw5GsdswPFfsgMp5NSB0/aDe6fK94YJV/AJDYXL6HVLWBsxeq7js7Ad+mU2K9LAlwpk6kN2D5mwCPVow==}

ui/src/pages/Users/Settings/Profile/index.tsx+2 −2 modified

@@ -21,7 +21,7 @@ import React, { FormEvent, useState, useEffect } from 'react';
 import { Form, Button, Stack, ButtonGroup } from 'react-bootstrap';
 import { Trans, useTranslation } from 'react-i18next';
 
-import MD5 from 'md5';
+import { sha256 } from 'js-sha256';
 
 import type { FormDataType } from '@/common/interface';
 import { UploadImg, Avatar, Icon, ImgViewer } from '@/components';
@@ -273,7 +273,7 @@ const Index: React.FC = () => {
       setFormData({ ...formData });
       if (res.e_mail) {
         const str = res.e_mail.toLowerCase().trim();
-        const hash = MD5(str);
+        const hash = sha256(str);
         setMailHash(hash);
       }
     });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-48cr-j2cx-mcr8ghsaADVISORY
lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08xghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2024-40761ghsaADVISORY
www.openwall.com/lists/oss-security/2024/09/25/2ghsaWEB
www.openwall.com/lists/oss-security/2024/09/25/5ghsaWEB
www.openwall.com/lists/oss-security/2024/09/25/6ghsaWEB
www.openwall.com/lists/oss-security/2024/09/25/7ghsaWEB
www.openwall.com/lists/oss-security/2024/09/25/8ghsaWEB
www.openwall.com/lists/oss-security/2024/09/26/1ghsaWEB
www.openwall.com/lists/oss-security/2024/09/26/3ghsaWEB
www.openwall.com/lists/oss-security/2024/09/26/4ghsaWEB
www.openwall.com/lists/oss-security/2024/09/27/4ghsaWEB
www.openwall.com/lists/oss-security/2024/09/27/5ghsaWEB
www.openwall.com/lists/oss-security/2024/09/27/8ghsaWEB
github.com/apache/incubator-answer/commit/c3a17046c6c3be1cec16ba49d07d9f7742b7260fghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000