Описание
Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another (non-"root") CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn accessing their account and resources.
Ссылки
- Broken LinkThird Party AdvisoryVDB Entry
- Vendor Advisory
- Broken LinkThird Party AdvisoryVDB Entry
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 4.1.0 (включая) до 4.8.1.0 (включая)
Одно из
cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cloudstack:4.9.0:*:*:*:*:*:*:*
EPSS
Процентиль: 81%
0.0153
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
NVD-CWE-noinfo
Связанные уязвимости
CVSS3: 9.8
github
больше 3 лет назад
Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another (non-"root") CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn accessing their account and resources.
EPSS
Процентиль: 81%
0.0153
Низкий
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
NVD-CWE-noinfo