Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2022-26779
Analyzed
More InfoOfficial Page
Source-security@apache.org
View Known Exploited Vulnerability (KEV) details
Published At-15 Mar, 2022 | 16:15
Updated At-22 Mar, 2022 | 16:09

Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is required to know or guess the project ID for the invite in addition to the invitation token, and the attacker would need to be an existing authorized user of CloudStack.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary2.04.6MEDIUM
AV:N/AC:H/Au:S/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 4.6
Base severity: MEDIUM
Vector:
AV:N/AC:H/Au:S/C:P/I:P/A:P
CPE Matches
The Apache Software Foundation
apache
>>cloudstack>>Versions before 4.16.1.0(exclusive)
cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-338Primarynvd@nist.gov
CWE ID: CWE-338
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2022/03/15/1security@apache.org
Mailing List
Third Party Advisory
https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-vpcc-9rh2-8jfpsecurity@apache.org
Exploit
Patch
Third Party Advisory
https://lists.apache.org/thread/dmm07b1cyosovqr12ddhkko501p11h2hsecurity@apache.org
Mailing List
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2022/03/15/1
Source: security@apache.org
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-vpcc-9rh2-8jfp
Source: security@apache.org
Resource:
Exploit
Patch
Third Party Advisory
Hyperlink: https://lists.apache.org/thread/dmm07b1cyosovqr12ddhkko501p11h2h
Source: security@apache.org
Resource:
Mailing List
Vendor Advisory
Change History
0Changes found
Details not found