[
https://issues.apache.org/jira/browse/CLOUDSTACK-5232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13877742#comment-13877742
]
Animesh Chaturvedi commented on CLOUDSTACK-5232:
------------------------------------------------
Alena can you commit your patch into 4.3 and master
> Unauthenticated API allows Admin password reset
> -----------------------------------------------
>
> Key: CLOUDSTACK-5232
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5232
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: API
> Affects Versions: 4.2.0
> Reporter: John Kinsella
> Assignee: Alena Prokharchyk
> Priority: Critical
> Fix For: 4.3.0
>
>
> The "unauthenticated API" allows a caller to reset CCP administrator
> passwords. This presents a security risk because it allows for privilege
> escalation attacks. First, if the unauthenticated API is listening on the
> network (instead of locally) than any user on the network can reset admin
> passwords. If, the API is only listening locally, then any user with access
> to the local box can reset admin passwords. This would allow them to access
> other hosts within the CloudStack deployment.
> While it may be important to provide a recovery mechanism for admin passwords
> that have been lost or hijacked, such a solution needs to be secure. We
> should either remove this feature from the Unauthenticated API, or provide a
> solution that is less open to abuse.
> Identified by: Demetrius Tsitrelis from Citrix
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
