CVE-2025-29868

01.04.2025, 08:15

Private Data Structure Returned From A Public Method vulnerability in Apache Answer.

This issue affects Apache Answer: through 1.4.2.

If a user uses an externally referenced image, when a user accesses this image, the provider of the image may obtain private information about the ip address of that accessing user.
Users are recommended to upgrade to version 1.4.5, which fixes the issue.In the new version, administrators can set whether external content can be displayed.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
apache	CNA	---				---
CISA-ADP	ADP	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 45%

Vendor	Product	Version
apache	answer	𝑥 ≤ 1.4.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-495 - Private Data Structure Returned From A Public Method
The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

References

https://lists.apache.org/thread/l7pohw5g03g3qsvrz8pqc9t29mdv5lhf

http://www.openwall.com/lists/oss-security/2025/04/01/2

http://www.openwall.com/lists/oss-security/2025/04/02/1

http://www.openwall.com/lists/oss-security/2025/04/10/3