Re: CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy.

[LinkinStar <linkinstar () apache org>]

Hi Jacob,

First, we don't have the 1.4.3 and 1.4.4 versions. You can check out all of
our releases on GitHub. [1]
Second, this fix does not affect the same-origin policy. It means that
same-origin images will be displayed usually, while different-origin images
will be restricted according to the administrator's settings.

Best regards,
LinkinStar

[1] https://github.com/apache/answer/releases

On Wed, Apr 2, 2025 at 7:32 AM Jacob Bachmeyer <jcb62281 () gmail com> wrote:

> On 3/31/25 21:44, Enxin Xie wrote:
> > [...]
> >
> > Description:
> >
> > Private Data Structure Returned From A Public Method vulnerability in
> Apache Answer.
> > This issue affects Apache Answer: through 1.4.2.
> >
> > If a user uses an externally referenced image, when a user accesses this
> image, the provider of the image may obtain private information about the
> ip address of that accessing user.
> > Users are recommended to upgrade to version 1.4.5, which fixes the
> issue. In the new version, administrators can set whether external content
> can be displayed.
>
> This hits two major pet peeves of mine:
>
> First, only versions through 1.4.2 are vulnerable, but the issue was
> fixed in 1.4.5?  What about 1.4.3 and 1.4.4?
>
> Second, the short description is *not* an accurate summary of the
> issue:  there is no public method that returns a private data structure
> here.  The possibility of planting a web bug (this is an ancient issue
> and the reason better email clients block references to remote media by
> default) is *different* from Apache Answer *itself* exposing a public
> method that leaks private data.
>
> This issue is more akin to XSS, except that web bugs are older than
> JavaScript.  The "leaked" IP address originates from the *user's*
> machine making a connection to retrieve an untrusted resource.  Perhaps
> "same origin" should have been imposed on images, but it is not.
>
>
> -- Jacob