Description
ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation.
References (1)
Core 1
Core References
Exploit, Vendor Advisory
https://github.com/zstackio/zstack/security/advisories/GHSA-w2rv-x3pp-h67q
Scores
CVSS v3
8.8
EPSS
0.0073
EPSS Percentile
49.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-613
Status
published
Products (1)
zstack/zstack
< 3.10.38
Published
Nov 30, 2023
Tracked Since
Feb 18, 2026