Skip to content

Apache Rave information disclosure vulnerability

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Jan 5, 2024

Package

maven org.apache.rave:rave-core (Maven)

Affected versions

>= 0.11, < 0.20.1

Patched versions

0.20.1
maven org.apache.rave:rave-portal-resources (Maven)
>= 0.11, < 0.20.1
0.20.1
maven org.apache.rave:rave-web (Maven)
>= 0.11, < 0.20.1
0.20.1

Description

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.

References

Published by the National Vulnerability Database Mar 14, 2013
Published to the GitHub Advisory Database May 17, 2022
Last updated Jan 5, 2024
Reviewed Jan 5, 2024

Severity

Moderate

EPSS score

97.206%
(100th percentile)

Weaknesses

CVE ID

CVE-2013-1814

GHSA ID

GHSA-428j-q447-47rw

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.