PT-2023-29961 · Zstack · Zstack Cloud

Evilashz

Published

2023-11-30

Updated

2023-12-06

CVE-2023-46326

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZStack Cloud versions 3.10.38 and before

Description The issue allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these, leading to privilege escalation.

Recommendations For ZStack Cloud versions 3.10.38 and before, as a temporary workaround, consider restricting access to the API endpoints that provide the list of active job UUIDs and session IDs until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2023-46326

GHSA-W2RV-X3PP-H67Q

Affected Products

Zstack Cloud

PT-2023-29961 · Zstack · Zstack Cloud

CVE-2023-46326

Weakness Enumeration

Related Identifiers

Affected Products

References · 6