Apache · Apache Rave · CVE-2013-1814
**Name of the Vulnerable Software and Affected Versions**
Apache Rave versions 0.11 through 0.20
**Description**
The issue allows remote authenticated users to obtain sensitive information about all user accounts via the `offset` parameter in the `users/get` program of the User RPC API. This can lead to the discovery of password hashes in the `password` field of a response.
**Recommendations**
For Apache Rave versions 0.11 through 0.20, consider restricting access to the `users/get` program in the User RPC API to minimize the risk of exploitation. As a temporary workaround, avoid using the `offset` parameter in the affected API endpoint until the issue is resolved.