A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. An authenticated domain admin user might modify cross domain resources via a /services/[action]/launch API call, provided it would have been possible for the domain admin user to gain access to a resource identifier of the other domain.
[
{
"product": "Cloud Orchestrator",
"vendor": "IBM Corporation",
"versions": [
{
"status": "affected",
"version": "2.2"
},
{
"status": "affected",
"version": "2.2.0.1"
},
{
"status": "affected",
"version": "2.3"
},
{
"status": "affected",
"version": "2.4"
},
{
"status": "affected",
"version": "2.3.0.1"
},
{
"status": "affected",
"version": "2.4.0.1"
},
{
"status": "affected",
"version": "2.4.0.2"
},
{
"status": "affected",
"version": "2.5"
},
{
"status": "affected",
"version": "2.5.0.1"
},
{
"status": "affected",
"version": "2.4.0.3"
},
{
"status": "affected",
"version": "2.5.0.2"
}
]
}
]