| --- |
| layout: post |
| status: PUBLISHED |
| published: true |
| title: "[CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users" |
| id: 87a9736f-6495-441c-908a-d84e1a0e87c3 |
| date: '2014-01-10 14:00:00 -0500' |
| categories: cloudstack |
| tags: |
| - security |
| permalink: cloudstack/entry/cve_2014_0031_cloudstack_listnetworkacl |
| --- |
| <p> |
| Product: Apache CloudStack<br/><br /> |
| Vendor: Apache Software Foundation<br/><br /> |
| Vulnerability type: Information Disclosure<br/><br /> |
| Vulnerable Versions: Apache CloudStack 4.2.0<br/><br /> |
| CVE References: CVE-2014-0031<br/><br /> |
| Risk Level: Low<br/><br /> |
| CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)<br/></p> |
| <p>Description:</p> |
| <p>The Apache CloudStack Security Team was notified of a an<br /> |
| issue in Apache CloudStack which permits an authenticated user to list<br /> |
| network ACLs for other users.</p> |
| <p>Mitigation:</p> |
| <p>Upgrading to CloudStack 4.2.1 or higher will mitigate this issue.</p> |
| <p>References:</p> |
| <p>https://issues.apache.org/jira/browse/CLOUDSTACK-5145</p> |
| <p>Credit:</p> |
| <p>This issue was identified by Marcus Sorensen</p> |
