mailing list archives
Updated [CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users
From: David Nalley <ke4qqq () apache org>
Date: Fri, 10 Jan 2014 09:01:38 -0500
Issued: January 9, 2014
Updated: January 10, 2014
[CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users
Product: Apache CloudStack
Vendor: Apache Software Foundation
Vulnerability type: Information Disclosure
Vulnerable Versions: Apache CloudStack 4.2.0
CVE References: CVE-2014-0031
Risk Level: Low
CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
The Apache CloudStack Security Team was notified of a an
issue in Apache CloudStack which permits an authenticated user to list
network ACLs for other users.
Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.
This issue was identified by Marcus Sorensen
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Updated [CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users David Nalley (Jan 11)