PT-2023-29961 · Zstack · Zstack Cloud

Evilashz

Publicado

2023-11-30

Atualizado

2023-12-06

CVE-2023-46326

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZStack Cloud versions 3.10.38 and before

Description The issue allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these, leading to privilege escalation.

Recommendations For ZStack Cloud versions 3.10.38 and before, as a temporary workaround, consider restricting access to the API endpoints that provide the list of active job UUIDs and session IDs until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Insufficient Session Expiration

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-613

Identificadores relacionados

CVE-2023-46326

GHSA-W2RV-X3PP-H67Q

Produtos afetados

Zstack Cloud

PT-2023-29961 · Zstack · Zstack Cloud

CVE-2023-46326

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6