oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2022-26779: Apache Cloudstack insecure random number generation affects project email invitation

From: Daan <dahn () apache org>
Date: Tue, 15 Mar 2022 15:17:33 +0000
Severity: low

Description:

Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project 
invite is created based only on an email address, a random token is generated. An attacker with knowledge of the 
project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to 
use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is 
required to know or guess the project ID for the invite in addition to the invitation token, and the attacker would 
need to be an existing authorized user of CloudStack.

Credit:

This issue was reported by Jonathan Leitschuh

References:

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-vpcc-9rh2-8jfp
Previous By Date Next
Previous By Thread Next

Current thread: