Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00MjhqLXE0NDctNDdyd84AAfJI
Apache Rave information disclosure vulnerability
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Permalink: https://github.com/advisories/GHSA-428j-q447-47rwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00MjhqLXE0NDctNDdyd84AAfJI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 4 months ago
Identifiers: GHSA-428j-q447-47rw, CVE-2013-1814
References:
- https://nvd.nist.gov/vuln/detail/CVE-2013-1814
- http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
- http://www.exploit-db.com/exploits/24744/
- https://github.com/apache/rave/commit/546edbaacfcb7b3fcc81aafe37a5c58e401b66c6
- https://web.archive.org/web/20130512040207/http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
- https://github.com/advisories/GHSA-428j-q447-47rw
Blast Radius: 0.0
Affected Packages
maven:org.apache.rave:rave-portal-resources
Dependent packages: 2Dependent repositories: 10
Downloads:
Affected Version Ranges: >= 0.11, < 0.20.1
Fixed in: 0.20.1
All affected versions:
All unaffected versions: 0.10.1, 0.20.1, 0.21.1
maven:org.apache.rave:rave-web
Dependent packages: 4Dependent repositories: 10
Downloads:
Affected Version Ranges: >= 0.11, < 0.20.1
Fixed in: 0.20.1
All affected versions:
All unaffected versions: 0.10.1, 0.20.1, 0.21.1
maven:org.apache.rave:rave-core
Dependent packages: 13Dependent repositories: 12
Downloads:
Affected Version Ranges: >= 0.11, < 0.20.1
Fixed in: 0.20.1
All affected versions:
All unaffected versions: 0.10.1, 0.20.1, 0.21.1