PT-2013-3404 · Apache · Apache Rave

Andreas Guth

Published

2013-03-14

Updated

2022-05-17

CVE-2013-1814

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Rave versions 0.11 through 0.20

Description The issue allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter in the users/get program of the User RPC API. This can lead to the discovery of password hashes in the password field of a response.

Recommendations For Apache Rave versions 0.11 through 0.20, consider restricting access to the users/get program in the User RPC API to minimize the risk of exploitation. As a temporary workaround, avoid using the offset parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2013-1814

GHSA-428J-Q447-47RW

Affected Products

Apache Rave

PT-2013-3404 · Apache · Apache Rave

CVE-2013-1814

Weakness Enumeration

Related Identifiers

Affected Products

References · 9