[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-26779: Apache Cloudstack insecure random number generation affects project e
From: Daan <dahn () apache ! org>
Date: 2022-03-15 15:17:33
Message-ID: 472d9cd6-7a65-5871-043c-930b966c49cc () apache ! org
[Download RAW message or body]
Severity: low
Description:
Apache CloudStack prior to 4.16.1.0 used insecure random number generation =
for project invitation tokens. If a project invite is created based only on=
an email address, a random token is generated. An attacker with knowledge =
of the project ID and the fact that the invite is sent, could generate time=
deterministic tokens and brute force attempt to use them prior to the =
legitimate receiver accepting the invite. This feature is not enabled by =
default, the attacker is required to know or guess the project ID for the =
invite in addition to the invitation token, and the attacker would need to =
be an existing authorized user of CloudStack.
Credit:
This issue was reported by Jonathan Leitschuh
References:
https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-v=
pcc-9rh2-8jfp
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic