VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 14, 2013· Updated Apr 29, 2026

CVE-2013-1814

CVE-2013-1814

Description

The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.rave:rave-coreMaven
>= 0.11, < 0.20.10.20.1
org.apache.rave:rave-webMaven
>= 0.11, < 0.20.10.20.1
org.apache.rave:rave-portal-resourcesMaven
>= 0.11, < 0.20.10.20.1

Affected products

13
  • Apache/Rave10 versions
    cpe:2.3:a:apache:rave:0.11:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:apache:rave:0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:rave:0.20:*:*:*:*:*:*:*
  • ghsa-coords3 versions
    pkg:maven/org.apache.rave/rave-corepkg:maven/org.apache.rave/rave-portal-resourcespkg:maven/org.apache.rave/rave-web
    >= 0.11, < 0.20.1+ 2 more
    • (no CPE)range: >= 0.11, < 0.20.1
    • (no CPE)range: >= 0.11, < 0.20.1
    • (no CPE)range: >= 0.11, < 0.20.1

Patches

1
546edbaacfcb

Applied refactoring patch

https://github.com/apache/raveMatthew B. FranklinMar 6, 2013via ghsa
commit
5 files changed · +85 83
  • rave-components/rave-core/src/main/java/org/apache/rave/portal/service/impl/DefaultUserService.java+29 0 modified
    @@ -223,6 +223,21 @@ public SearchResult<User> getLimitedListOfUsers(int offset, int pageSize) {
         searchResult.setPageSize(pageSize);

         return searchResult;

     }

+ 

+    

+    @Override

+    public SearchResult<Person> getLimitedListOfPersons(int offset, int pageSize) {

+        SearchResult<User> users = getLimitedListOfUsers(offset, pageSize);

+        int count = users.getTotalResults();

+        List<Person> people = new ArrayList<Person>();

+        Person person = null;

+        for(User user : users.getResultSet()){

+            person = user.toPerson();

+            person.setId(user.getId());

+            people.add(person);

+        }

+        return new SearchResult<Person>(people, count);

+    }

 

     @Override

     public SearchResult<User> getUsersByFreeTextSearch(String searchTerm, int offset, int pageSize) {

@@ -233,6 +248,20 @@ public SearchResult<User> getUsersByFreeTextSearch(String searchTerm, int offset
         searchResult.setPageSize(pageSize);

         return searchResult;

     }

+    

+    @Override

+    public SearchResult<Person> getPersonsByFreeTextSearch(String searchTerm, int offset, int pageSize) {

+        SearchResult<User> users = getUsersByFreeTextSearch(searchTerm, offset, pageSize);

+        int count = users.getTotalResults();

+        List<Person> people = new ArrayList<Person>();

+        Person person = null;

+        for(User user : users.getResultSet()){

+            person = user.toPerson();

+            person.setId(user.getId());

+            people.add(person);

+        }

+        return new SearchResult<Person>(people, count);

+    }

 

     @Override

     @Transactional
  • rave-components/rave-core/src/main/java/org/apache/rave/portal/service/UserService.java+19 0 modified
    @@ -206,4 +206,23 @@ public interface UserService extends UserDetailsService, AuthenticationUserDetai
      */

 	User getUserByOpenId(String openId);

 

+    /**

+     * Gets a limited {@link SearchResult} for {@link org.apache.rave.portal.model.Person}'s

+     *

+     * @param offset   start point within the resultset (for paging)

+     * @param pageSize maximum number of items to be returned (for paging)

+     * @return SearchResult

+     */

+    SearchResult<Person> getLimitedListOfPersons(int offset, int pageSize);

+

+    /**

+     * Gets a {@link SearchResult} for {@link org.apache.rave.portal.model.Person}'s that match the search term

+     *

+     * @param searchTerm free text input to search on users

+     * @param offset     start point within the resultset (for paging)

+     * @param pageSize   maximum number of items to be returned (for paging)

+     * @return SearchResult

+     */

+    SearchResult<Person> getPersonsByFreeTextSearch(String searchTerm, int offset, int pageSize);

+

 }
\ No newline at end of file
  • rave-components/rave-web/src/main/java/org/apache/rave/portal/web/api/rpc/PersonApi.java+31 9 modified
    @@ -18,21 +18,19 @@
  */

 package org.apache.rave.portal.web.api.rpc;

 

-import java.io.UnsupportedEncodingException;

-import java.net.URLDecoder;

-import java.util.HashMap;

-import java.util.List;

-

 import org.apache.rave.portal.model.Person;

+import org.apache.rave.portal.model.util.SearchResult;

 import org.apache.rave.portal.service.UserService;

 import org.apache.rave.portal.web.api.rpc.model.RpcOperation;

 import org.apache.rave.portal.web.api.rpc.model.RpcResult;

 import org.springframework.beans.factory.annotation.Autowired;

 import org.springframework.stereotype.Controller;

-import org.springframework.web.bind.annotation.PathVariable;

-import org.springframework.web.bind.annotation.RequestMapping;

-import org.springframework.web.bind.annotation.RequestMethod;

-import org.springframework.web.bind.annotation.ResponseBody;

+import org.springframework.web.bind.annotation.*;

+

+import java.io.UnsupportedEncodingException;

+import java.net.URLDecoder;

+import java.util.HashMap;

+import java.util.List;

 

 /**

  * Defines RPC operations for adding and removing friends

@@ -41,6 +39,8 @@
 @RequestMapping(value = "/api/rpc/person/*")

 public class PersonApi {

 

+    public static final int DEFAULT_PAGE_SIZE = 10;

+

     private final UserService userService;

 

     @Autowired

@@ -130,4 +130,26 @@ public Boolean execute() {
     		}

     	}.getResult();

     }

+    

+    @ResponseBody

+    @RequestMapping(method = RequestMethod.GET, value = "get")

+    public RpcResult<SearchResult<Person>> viewUsers(@RequestParam final int offset) {

+        return new RpcOperation<SearchResult<Person>>() {

+            @Override

+            public SearchResult<Person> execute() {

+                return userService.getLimitedListOfPersons(offset, DEFAULT_PAGE_SIZE);

+            }

+        }.getResult();

+    }

+

+    @ResponseBody

+    @RequestMapping(method = RequestMethod.GET, value = "search")

+    public RpcResult<SearchResult<Person>> searchUsers(@RequestParam final String searchTerm, @RequestParam final int offset) {

+        return new RpcOperation<SearchResult<Person>>() {

+            @Override

+            public SearchResult<Person> execute() {

+                return userService.getPersonsByFreeTextSearch(searchTerm, offset, DEFAULT_PAGE_SIZE);

+            }

+        }.getResult();

+    }

 }
\ No newline at end of file
  • rave-components/rave-web/src/main/java/org/apache/rave/portal/web/api/rpc/UserApi.java+0 68 removed
    @@ -1,68 +0,0 @@
-/*

- * Licensed to the Apache Software Foundation (ASF) under one

- * or more contributor license agreements.  See the NOTICE file

- * distributed with this work for additional information

- * regarding copyright ownership.  The ASF licenses this file

- * to you under the Apache License, Version 2.0 (the

- * "License"); you may not use this file except in compliance

- * with the License.  You may obtain a copy of the License at

- *

- *      http://www.apache.org/licenses/LICENSE-2.0

- *

- * Unless required by applicable law or agreed to in writing,

- * software distributed under the License is distributed on an

- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

- * KIND, either express or implied.  See the License for the

- * specific language governing permissions and limitations

- * under the License.

- */

-package org.apache.rave.portal.web.api.rpc;

-

-import org.apache.rave.portal.model.User;

-import org.apache.rave.portal.model.util.SearchResult;

-import org.apache.rave.portal.service.UserService;

-import org.apache.rave.portal.web.api.rpc.model.RpcOperation;

-import org.apache.rave.portal.web.api.rpc.model.RpcResult;

-import org.springframework.beans.factory.annotation.Autowired;

-import org.springframework.stereotype.Controller;

-import org.springframework.web.bind.annotation.RequestMapping;

-import org.springframework.web.bind.annotation.RequestMethod;

-import org.springframework.web.bind.annotation.RequestParam;

-import org.springframework.web.bind.annotation.ResponseBody;

-

-@Controller(value = "rpcUserApi")

-@RequestMapping(value = "/api/rpc/users/*")

-public class UserApi {

-

-    public static final int DEFAULT_PAGE_SIZE = 10;

-

-    private UserService userService;

-

-    @Autowired

-    public UserApi(UserService userService) {

-        this.userService = userService;

-    }

-

-    @ResponseBody

-    @RequestMapping(method = RequestMethod.GET, value = "get")

-    public RpcResult<SearchResult<User>> viewUsers(@RequestParam final int offset) {

-        return new RpcOperation<SearchResult<User>>() {

-            @Override

-            public SearchResult<User> execute() {

-                return userService.getLimitedListOfUsers(offset, DEFAULT_PAGE_SIZE);

-            }

-        }.getResult();

-    }

-

-    @ResponseBody

-    @RequestMapping(method = RequestMethod.GET, value = "search")

-    public RpcResult<SearchResult<User>> searchUsers(@RequestParam final String searchTerm, @RequestParam final int offset) {

-        return new RpcOperation<SearchResult<User>>() {

-            @Override

-            public SearchResult<User> execute() {

-                return userService.getUsersByFreeTextSearch(searchTerm, offset, DEFAULT_PAGE_SIZE);

-            }

-        }.getResult();

-    }

-

-}
  • rave-portal-resources/src/main/webapp/static/script/rave_api.js+6 6 modified
    @@ -254,10 +254,10 @@ rave.api = rave.api || (function() {
 

                         if (addedWidget != undefined && addedWidget.title != undefined && addedWidget.title.length > 0) {

                             widgetTitle = addedWidget.title;

-                        }
-                        // if a callback is supplied, invoke it with the regionwidget id
-                        if (args.successCallback && addedWidget != undefined){
-                            args.successCallback(result.result.id);
+                        }

+                        // if a callback is supplied, invoke it with the regionwidget id

+                        if (args.successCallback && addedWidget != undefined){

+                            args.successCallback(result.result.id);

                         }

                         rave.showInfoMessage(widgetTitle + ' ' + rave.getClientMessage("widget.add_suffix"));

                         

@@ -490,7 +490,7 @@ rave.api = rave.api || (function() {
 

         function getUsers(args){

             var offset = args.offset;

-            $.get(rave.getContext() + path + "users/get",

+            $.get(rave.getContext() + path + "person/get",

                 {"offset": offset},

                 function(result) {

                     if (result.error) {

@@ -511,7 +511,7 @@ rave.api = rave.api || (function() {
                 alert(rave.getClientMessage("api.rpc.empty.search.term"));

                 return;

             }

-            $.get(rave.getContext() + path + "users/search",

+            $.get(rave.getContext() + path + "person/search",

                     {"searchTerm": searchTerm, "offset": offset},

                     function(result) {

                         if (result.error) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.