CVE-2016-6813

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions 4.1 through 4.8.1.0 Apache CloudStack version 4.9.0.0

Description The issue allows a malicious user to reset the API keys for another non-root CloudStack user if the malicious user can determine the ID of that user. This could lead to unauthorized access to the user's account and resources.

Recommendations For Apache CloudStack versions 4.1 through 4.8.1.0, consider restricting access to the API call that allows registration for the developer API until a fix is available. For Apache CloudStack version 4.9.0.0, consider restricting access to the API call that allows registration for the developer API until a fix is available. As a temporary workaround, consider implementing additional authentication or authorization checks to prevent unauthorized API key resets.