The Apache CloudStack’s security team turns public the CVE-2013-4317.
*Severity*: High
*Vendor*: The Apache Software Foundation
*Versions Affected*: Apache CloudStack 4.1.0, 4.1.1
*Description*: When calling the CloudStack API call listProjectAccounts
as a regular, non-administrative user, the user is able to see
information for accounts other than their own.
*Mitigation*: Upgrade to Apache CloudStack 4.2
*Credit*: This issue was identified by Ahmad Emneina of Citrix.
P.S. This issue has been fixed a long time ago. However, the
announcement has been forgotten. We apologize for that.
--
Rafael Weingärtner
