GitHub Advisory DatabaseGHSA-428J-Q447-47RWApache Rave information disclosure vulnerability
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6 Medium
AI Score
Confidence
Low
0.921 High
EPSS
Percentile
98.9%
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.rave:rave-portal-resources | lt | 0.20.1 | |
| org.apache.rave:rave-web | lt | 0.20.1 | |
| org.apache.rave:rave-core | lt | 0.20.1 |
References
archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
www.exploit-db.com/exploits/24744/
github.com/advisories/GHSA-428j-q447-47rw
github.com/apache/rave/commit/546edbaacfcb7b3fcc81aafe37a5c58e401b66c6
nvd.nist.gov/vuln/detail/CVE-2013-1814
web.archive.org/web/20130512040207/archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6 Medium
AI Score
Confidence
Low
0.921 High
EPSS
Percentile
98.9%