1547241 – (CVE-2013-4317) CVE-2013-4317 cloudstack: Information disclosure in listProjectAccounts in the CloudStack API

Bug 1547241 (CVE-2013-4317) - CVE-2013-4317 cloudstack: Information disclosure in listProjectAccounts in the CloudStack API

Summary: CVE-2013-4317 cloudstack: Information disclosure in listProjectAccounts in th...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2013-4317
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1547247
TreeView+	depends on / blocked

Reported:	2018-02-20 20:26 UTC by Laura Pardo
Modified:	2019-09-29 14:32 UTC (History)
CC List:	0 users
Fixed In Version:	cloudstack 4.2
Clone Of:
Environment:
Last Closed:	2019-06-08 03:40:30 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-02-20 20:26:22 UTC

A vulnerability was found in Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own.


References:
http://seclists.org/oss-sec/2018/q1/1

Comment 1 Hooman Broujerdi 2018-02-20 23:49:52 UTC

JBoss Fuse does not use apache cloudstack and it's not affected by this flaw.

Note You need to log in before you can comment on or make changes to this bug.