What is CVE-2022-26779?

CVE-2022-26779 is a vulnerability found in Apache CloudStack prior to version 4.16.1.0 that used insecure random number generation for project invitation tokens.

What is the severity of CVE-2022-26779?

CVE-2022-26779 has a severity value of 7.5.

How does CVE-2022-26779 affect Apache CloudStack?

CVE-2022-26779 affects Apache CloudStack versions prior to 4.16.1.0.

How can an attacker exploit CVE-2022-26779?

An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time-based tokens to bypass project invitations created based only on an email address.

How can CVE-2022-26779 be fixed?

To fix CVE-2022-26779, users should update Apache CloudStack to version 4.16.1.0 or newer.

Vulnerability/
CVE-2022-26779

high

7.5

CWE

338

15/3/2022

3/8/2024

CVE-2022-26779: Apache Cloudstack insecure random number generation affects project email invitation

First published: Tue Mar 15 2022(Updated: )

Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is required to know or guess the project ID for the invite in addition to the invitation token, and the attacker would need to be an existing authorized user of CloudStack.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
Apache CloudStack	<4.16.1.0

Remedy

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-vpcc-9rh2-8jfp

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-26779?
CVE-2022-26779 is a vulnerability found in Apache CloudStack prior to version 4.16.1.0 that used insecure random number generation for project invitation tokens.
What is the severity of CVE-2022-26779?
CVE-2022-26779 has a severity value of 7.5.
How does CVE-2022-26779 affect Apache CloudStack?
CVE-2022-26779 affects Apache CloudStack versions prior to 4.16.1.0.
How can an attacker exploit CVE-2022-26779?
An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time-based tokens to bypass project invitations created based only on an email address.
How can CVE-2022-26779 be fixed?
To fix CVE-2022-26779, users should update Apache CloudStack to version 4.16.1.0 or newer.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/remedy
agent/severity
agent/author
agent/weakness
agent/references
agent/title
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/apache
canonical/apache cloudstack

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.