Description
The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.
Remediation
References
http://archives.neohapsis.com/archives/bugtraq/2013-03/0078.html
http://www.exploit-db.com/exploits/24744/
Related Vulnerabilities
CVE-2018-1000863 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-50710 Vulnerability in npm package hono
CVE-2020-7703 Vulnerability in npm package nis-utils
CVE-2021-23447 Vulnerability in npm package teddy
CVE-2018-13339 Vulnerability in maven package org.webjars.bower:angular-redactor