CVE-2013-2756

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code.

Weakness

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Cloudstack	Apache	4.0.0	4.0.0
Cloudstack	Apache	4.0.1	4.0.1
Cloudstack	Apache	4.0.2	4.0.2
Cloudplatform	Citrix	3.0	3.0
Cloudplatform	Citrix	3.0.3	3.0.3
Cloudplatform	Citrix	3.0.4	3.0.4
Cloudplatform	Citrix	3.0.5	3.0.5
Cloudplatform	Citrix	3.0.6	3.0.6

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://mail-archives.apache.org/mod_mbox/cloudstack-dev/201304.mbox/%3C51786984.1060300@stratosec.co%3E
http://osvdb.org/92748
http://secunia.com/advisories/53175
http://secunia.com/advisories/53204
http://support.citrix.com/article/CTX135815
http://www.securityfocus.com/bid/59463
http://www.securitytracker.com/id/1028473
https://exchange.xforce.ibmcloud.com/vulnerabilities/83781

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-2756
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References