CVE-2022-26779

CWE-3382 documents2 sources
Severity
7.5HIGH
EPSS
0.7%
top 28.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CloudstackApache Cloudstack
Timeline
PublishedMar 15

Description

Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is required to know or guess the p

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

NVDapache/cloudstack< 4.16.1.0
CVEListV5apache_software_foundation/apache_cloudstackApache CloudStack4.16.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Apache Cloudstack insecure random number generation affects project email invitation2022-03-15
CVE-2022-26779 (HIGH CVSS 7.5) | Apache CloudStack prior to 4.16.1.0 | cvebase.io