Apache Rave User Information Disclosure Vulnerability Network Vulnerability

Summary

The host is running Apache Rave and is prone to information disclosure vulnerability.

Impact

Successful exploitation will allow remote attackers to obtain sensitive information about all user accounts via the offset parameter. Impact Level: Application

Solution

Upgrade to Apache Rave 0.20.1 or later, For updates refer to http://rave.apache.org/downloads.html

Insight

The flaw is due to error in handling of User RPC API, returns the full user object, including the salted and hashed password.

Affected

Apache Rave versions 0.11 to 0.20

References

http://packetstormsecurity.com/files/120769/
http://seclists.org/fulldisclosure/2013/Mar/127
http://www.exploit-db.com/exploits/24744/
http://www.securityfocus.com/archive/1/525982/30/0/threaded
http://xforce.iss.net/xforce/xfdb/82758

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-1814
CVSS Base Score: 4.0
AV:N/AC:L/Au:S/C:P/I:N/A:N

Related Vulnerabilities

123 Flash Chat Multiple Security Vulnerabilities
Ampache Reflected Cross Site Scripting Vulnerability
Apache ActiveMQ Multiple Vulnerabilities
Apache CouchDB Cross Site Request Forgery Vulnerability
Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities