CVE-2013-4317
https://notcve.org/view.php?id=CVE-2013-4317
In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own. En Apache CloudStack 4.1.0 y 4.1.1, al llamar a la API CloudStack call listProjectAccounts como usuario normal no administrativo, el usuario puede ver información de cuentas distintas a la propia. • http://seclists.org/oss-sec/2018/q1/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-3252
https://notcve.org/view.php?id=CVE-2015-3252
Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by connecting to the VNC server. Apache CloudStack en versiones anteriores a 4.5.2 no conserva adecuadamente las contraseñas VNC al migrar máquinas virtuales KVM, lo que permite a atacantes remotos obtener acceso mediante la conexión al servidor VNC. • http://mail-archives.apache.org/mod_mbox/cloudstack-users/201602.mbox/%3C7508580E-3D83-49FD-BE6E-B329B0503130%40gmail.com%3E http://www.securityfocus.com/archive/1/537459/100/0/threaded https://blogs.apache.org/cloudstack/entry/two_late_announced_security_advisories • CWE-255: Credentials Management Errors •
CVE-2014-9593
https://notcve.org/view.php?id=CVE-2014-9593
Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call. Apache CloudStack anterior a 4.3.2 y 4.4.x anterior a 4.4.2 permite a atacantes remotos obtener claves privados a través de una llamada a la API listSslCerts. • http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.3.2/about.html http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.4.2/fixed_issues.html#issues-fixed-in-release http://secunia.com/advisories/62216 https://issues.apache.org/jira/browse/CLOUDSTACK-7952 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-0031
https://notcve.org/view.php?id=CVE-2014-0031
The (1) ListNetworkACL and (2) listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request. Las APIs (1) ListNetworkACL y (2) listNetworkACLLists en Apache CloudStack anteriores a 4.2.1 permite a usuarios autenticados remotamente listar networkACLS para otros usuarios a través de una petición manipulada. • http://secunia.com/advisories/55960 https://blogs.apache.org/cloudstack/entry/cve_2014_0031_cloudstack_listnetworkacl https://issues.apache.org/jira/browse/CLOUDSTACK-5145 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-6398
https://notcve.org/view.php?id=CVE-2013-6398
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request. El router virtual en Apache CloudStack anteriores a 4.2.1 no mantiene las restricciones de orígenes en reglas del firewall después de ser reiniciado, lo cual permite a atacantes remotos eludir restricciones intencionadas a través de una petición. • http://secunia.com/advisories/55960 http://secunia.com/advisories/60284 http://support.citrix.com/article/CTX140989 http://www.securityfocus.com/bid/69432 http://www.securitytracker.com/id/1030762 https://blogs.apache.org/cloudstack/entry/cve_2013_6398_cloudstack_virtual https://issues.apache.org/jira/browse/CLOUDSTACK-5263 • CWE-264: Permissions, Privileges, and Access Controls •