PT-2012-5447 · Apache+1 · Apache Cloudstack+1

Published

2012-10-26

Updated

2012-10-26

CVE-2012-4501

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Citrix Cloud.com CloudStack, and Apache CloudStack pre-release

Description The issue allows remote attackers to make arbitrary API calls by leveraging the system user account. This can be demonstrated by API calls to delete VMs.

Recommendations For Citrix Cloud.com CloudStack and Apache CloudStack pre-release, consider restricting access to the system user account to minimize the risk of exploitation. As a temporary workaround, limit the ability to make arbitrary API calls until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2012-4501

Affected Products

Apache Cloudstack

Citrix Cloudstack

PT-2012-5447 · Apache+1 · Apache Cloudstack+1

CVE-2012-4501

Weakness Enumeration

Related Identifiers

Affected Products

References · 4