Signature Detail

Short Name	HTTP:APACHE:RPC-RAVE-INFO-DISC
Severity	Medium
Recommended	No
Recommended Action	Drop
Category	HTTP
Keywords	Apache Rave User RPC API Information Disclosure
Release Date	2014/09/01
Update Number	2414
Supported Platforms	idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: Apache Rave User RPC API Information Disclosure

This signature detects attempts to exploit a known vulnerability against Apache Rave. A successful attack may lead to unauthorized information disclosure.

Extended Description

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.

Affected Products

apache rave 0.11
apache rave 0.12
apache rave 0.13
apache rave 0.14
apache rave 0.15
apache rave 0.16
apache rave 0.17
apache rave 0.18
apache rave 0.19
apache rave 0.20

References

BugTraq: 58455
CVE: CVE-2013-1814

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

HTTP: Apache Rave User RPC API Information Disclosure

Extended Description

Affected Products

References