[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-26779: Apache Cloudstack insecure random number generation affects project e
From:       Daan <dahn () apache ! org>
Date:       2022-03-15 15:17:33
Message-ID: 472d9cd6-7a65-5871-043c-930b966c49cc () apache ! org
[Download RAW message or body]

Severity: low

Description:

Apache CloudStack prior to 4.16.1.0 used insecure random number generation =
for project invitation tokens. If a project invite is created based only on=
 an email address, a random token is generated. An attacker with knowledge =
of the project ID and the fact that the invite is sent, could generate time=
 deterministic tokens and brute force attempt to use them prior to the =
legitimate receiver accepting the invite. This feature is not enabled by =
default, the attacker is required to know or guess the project ID for the =
invite in addition to the invitation token, and the attacker would need to =
be an existing authorized user of CloudStack.

Credit:

This issue was reported by Jonathan Leitschuh

References:

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-v=
pcc-9rh2-8jfp

[prev in list] [next in list] [prev in thread] [next in thread]