CVE Vulnerabilities

CVE-2016-6813

Published: Feb 06, 2018 | Modified: Nov 07, 2023
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another (non-root) CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn accessing their account and resources.

Affected Software

Name Vendor Start Version End Version
Cloudstack Apache 4.1.0 4.8.1.0
Cloudstack Apache 4.9.0 4.9.0

References