HTTP: Apache Rave RPC API Information Disclosure
This signature attempts to detect a known vulnerability on RPC API in Apache Rave. A successful attack can lead to unauthorized information disclosure.
Extended Description
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Affected Products
Apache rave
Short Name
HTTP:APACHE:RAVE-USER-RPCAPI-ID
Severity
Minor
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
API Apache CVE-2013-1814 Disclosure Information RPC Rave bid:58455
Release Date
06/02/2017
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
False Positive
Unknown
Vendors
Apache
CVSS Score
4.0