CVE-2014-9593

Apache CloudStack is affected by CVE-2014-9593: before 4.3.2 and 4.4.x before 4.4.2, the listSslCerts API call can disclose private keys. Likely impact is information disclosure of SSL private keys. The remediation in the connected records is to upgrade to CloudStack 4.3.2+ or 4.4.2+ (i.e., fixed...

[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P Vendors: The Apache Software Foundation Citrix, Inc. Versions Afffected: Apache CloudStack 4.3, 4.4 Description: Apache CloudStack may be configured to...

Apache CloudStac authentication bypass

Password is not checked for LDAP binds...

Authentication flaw

Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind...

CVE-2014-7807

Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind...

CVE-2014-7807

Apache CloudStack is affected: versions 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allow unauthenticated LDAP binds when LDAP is configured, enabling login requests without a password and resulting in an unauthenticated bind. Remediation per the docs is to upgrade to 4.4.2 (or 4.3.2 in testing) or...

CVE-2014-7807

Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind...

Apache CloudStack 4.3 / 4.4 Unauthenticated LDAP Binds Vulnerability

Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms RFC 4513: 1 username and password; 2 unauthenticated if only a username is specifie...

openSUSE Security Update : python-apache-libcloud (openSUSE-SU-2014:0198-1)

Updated to 0.13.3 bnc857209, CVE-2013-6480 + Security fix release, for destroying nodes on digitalOcean 'datascrub' method is always invoked - Require python-setuptools instead of distribute upstreams merged - Updated to 0.13.2 - General : - Don't sent Content-Length: 0 header with POST and PUT...

CVE-2013-2758

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack...

CVE-2013-2756

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code...

Code injection

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code...

Design/Logic Flaw

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack...

CVE-2013-2758

CVE-2013-2758 affects Apache CloudStack 4.0.0–4.0.1 and Citrix CloudPlatform 3.0.x prior to 3.0.6 Patch C, which use a hash of a predictable sequence. This enables remote attackers to guess the console access URL via brute force. Remediation: upgrade to Apache CloudStack 4.0.2 or later, and Citri...

CVE-2013-2758

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C uses a hash of a predictable sequence, which makes it easier for remote attackers to guess the console access URL via a brute force attack...

CVE-2013-2756

The CVE-2013-2756 issue affects Apache CloudStack 4.0.0–4.0.1 (and Citrix CloudPlatform 3.0.x up to 3.0.5) where Patch C for the respective lines allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code. The root cause is an authentication bypa...

CVE-2013-2756

Apache CloudStack 4.0.0 before 4.0.2 and Citrix CloudPlatform formerly Citrix CloudStack 3.0.x before 3.0.6 Patch C allows remote attackers to bypass the console proxy authentication by leveraging knowledge of the source code...

CVE-2013-2757

CVE-2013-2757 concerns Citrix CloudPlatform (formerly Citrix CloudStack) 3.0.x prior to 3.0.6 Patch C. The issue is that access to VNC ports on the management network is not properly restricted, allowing remote attackers to impact the system via unknown vectors. The entry documents the affected p...

CVE-2014-0031

The 1 ListNetworkACL and 2 listNetworkACLLists APIs in Apache CloudStack before 4.2.1 allow remote authenticated users to list network ACLS for other users via a crafted request...

CVE-2013-6398

The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request...