CVE-2023-46326

Published: Nov 30, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation.

Affected (1)

Products: Zstack: Zstack

Zstack

1 product

Zstack

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zstack Zstack	Up to 3.10.38

Related CWEs

CWE-613

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

https://github.com/zstackio/zstack/security/advisories/GHSA-w2rv-x3pp-h67q

Source: cve@mitre.org

ExploitVendor Advisory

https://github.com/zstackio/zstack/security/advisories/GHSA-w2rv-x3pp-h67q

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.