Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another (non-“root”) CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn accessing their account and resources.
[
{
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "4.1 to 4.8.1.0"
},
{
"status": "affected",
"version": "4.9.0.0"
}
]
}
]