CVE-2013-1814
published 2013-03-14CVE-2013-1814: The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user…
PriorityP341medium4CVSS 2.0
AVNACLAuSCPINAN
EXPLOIT
EPSS
73.22%
99.4th percentile
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
| apache | rave | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the RPC API endpoint /app/api/rpc/users/get with an offset parameter — any authenticated user querying this path may be harvesting all user records including password hashes. ↗
- →The Metasploit module apache_rave_creds automates exploitation by iterating the offset parameter to enumerate all user objects; detect repeated sequential requests to /app/api/rpc/users/get with incrementing offset values from a single authenticated session. ↗
- →Default credentials bundled with Apache Rave 0.20 are tried automatically by the Metasploit module; alert on successful authentication to /app/api/rpc/users/get using default accounts. ↗
- ·The vulnerability is only exploitable by authenticated users — unauthenticated access to the RPC API endpoint is not possible, so detections should focus on authenticated sessions abusing the offset parameter. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Rave information disclosure vulnerability
osv·2022-05-17
CVE-2013-1814 [MEDIUM] Apache Rave information disclosure vulnerability
Apache Rave information disclosure vulnerability
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
GHSA
Apache Rave information disclosure vulnerability
ghsa·2022-05-17
CVE-2013-1814 [MEDIUM] CWE-200 Apache Rave information disclosure vulnerability
Apache Rave information disclosure vulnerability
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
No detection rules found.
Exploit-DB
Apache Rave 0.11 < 0.20 - User Information Disclosure
exploitdb·2013-03-13·CVSS 4.0
CVE-2013-1814 [MEDIUM] Apache Rave 0.11 < 0.20 - User Information Disclosure
Apache Rave 0.11 < 0.20 - User Information Disclosure
---
CVE-2013-1814: Apache Rave exposes User over API
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Rave 0.11 to 0.20
Description:
Rave returns the full user object, including the salted and hashed
password, via the User RPC API. This endpoint is only available to
authenticated users, but will return all User objects in the database
given the correct query.
Mitigation:
All users who rely on Rave's user management capabilities should
upgrade to 0.20.1 or later.
If an upgrade is infeasible, restrict access to the /app/api/user URL
paths via Spring Security configuration or other means.
Example:
A request to:
/app/api/rpc/users/get?offset=OFFSET
will return the following:
{"error":false,"errorMessa
Metasploit
Apache Rave User Information Disclosure
metasploit
Apache Rave User Information Disclosure
Apache Rave User Information Disclosure
This module exploits an information disclosure in Apache Rave 0.20 and prior. The vulnerability exists in the RPC API, which allows any authenticated user to disclose information about all the users, including their password hashes. In order to authenticate, the user can provide his own credentials. Also the default users installed with Apache Rave 0.20 will be tried automatically. This module has been successfully tested on Apache Rave 0.20.
2013-03-14
Published