Description
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Remediation
References
http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
http://www.exploit-db.com/exploits/24744/
Related Vulnerabilities
CVE-2021-43307 Vulnerability in maven package org.webjars.npm:semver-regex
CVE-2017-3202 Vulnerability in maven package com.exadel.flamingo.flex:amf-serializer
CVE-2019-16869 Vulnerability in maven package io.netty:netty-all
CVE-2019-15138 Vulnerability in maven package org.webjars.npm:html-pdf
CVE-2021-21345 Vulnerability in maven package com.thoughtworks.xstream:xstream