Skip to content

Pre-auth unsafe deserialization in ZStack REST API

Moderate
zxwing published GHSA-jfvq-548h-342x Jul 30, 2021

Package

zstack

Affected versions

<3.10.12 <4.1.6

Patched versions

3.10.12, 4.1.6

Description

Impact

This issue may lead to a Denial Of Service. If a suitable gadget is available, then an attacker may also be able to exploit this vulnerability to gain pre-auth remote code execution.

Patches

The problem already patched in ZStack 3.10.12, 4.1.6 and all further versions.

Workarounds

We strongly suggest users upgrade to patched versions. If you could not upgrade at once, please avoid exposing ZStack API service to public or any other untrusty network.

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
6.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

CVE ID

No known CVE

Weaknesses

No CWEs