Description
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Remediation
References
http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
http://www.exploit-db.com/exploits/24744/
Related Vulnerabilities
CVE-2017-16082 Vulnerability in npm package pg
CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-war
CVE-2023-26920 Vulnerability in maven package org.webjars.npm:fast-xml-parser
CVE-2019-15608 Vulnerability in npm package yarn
CVE-2023-24057 Vulnerability in maven package ca.uhn.hapi.fhir:org.hl7.fhir.convertors