The Apache CloudStack Blog
[CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users
Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Information Disclosure
Vulnerable Versions: Apache CloudStack 4.2.0
CVE References: CVE-2014-0031
Risk Level: Low
CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users.
Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.
This issue was identified by Marcus Sorensen
Posted at 02:00PM Jan 10, 2014 by ke4qqq in News | |