Login Sign Up

CVE-2023-1976

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Answer software allows attackers to maintain access to compromised accounts for extended periods due to insufficient password expiration enforcement. It affects Answer installations prior to version 1.0.6 where password aging policies with long expiration periods could be bypassed or not properly enforced.

💻 Affected Systems

Products:
  • Answer
Versions: All versions prior to 1.0.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects installations using password aging features. The vulnerability is in the password policy enforcement mechanism.

📦 What is this software?

Answer by Answer

View all CVEs affecting Answer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers maintain persistent access to compromised user accounts for months or years, enabling data theft, privilege escalation, and lateral movement within the system.

🟠

Likely Case

Compromised accounts remain accessible to attackers beyond intended password rotation periods, increasing the window for credential misuse and unauthorized access.

🟢

If Mitigated

With proper password policies and monitoring, impact is limited to temporary access until next password change cycle.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires initial account compromise through other means, then the vulnerability allows maintaining that access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.6

Vendor Advisory: https://github.com/answerdev/answer/commit/813ad0b9894673b1bdd489a2e9ab60a44fe990af

Restart Required: Yes

Instructions:

1. Backup your Answer installation and database. 2. Update to Answer version 1.0.6 or later. 3. Restart the Answer service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Enforce Password Rotation Manually

all

Manually enforce password expiration for all users through administrative controls

Disable Password Aging Feature

all

Temporarily disable password aging features until patch can be applied

🧯 If You Can't Patch

  • Implement external password policy enforcement through LDAP/Active Directory integration
  • Enable multi-factor authentication for all user accounts

🔍 How to Verify

Check if Vulnerable:

Check Answer version: if version is less than 1.0.6, the system is vulnerable

Check Version:

Check Answer admin panel or configuration files for version information

Verify Fix Applied:

Verify Answer version is 1.0.6 or higher and password expiration policies are being enforced

📡 Detection & Monitoring

Log Indicators:

  • Failed password change attempts
  • Unusual account access patterns over extended periods
  • Password policy violation alerts

Network Indicators:

  • Repeated authentication requests from same source over long periods

SIEM Query:

Authentication events where user accounts show consistent access patterns beyond password expiration periods

📊 Metadata

CVE ID: CVE-2023-1976
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-263
Published: April 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON