In the case of remote access, the attacker can try to exploit the vulnerability by convincing the user to open a remote link or by sending a specially crafted request to a predefined remote endpoint. The vulnerability can be exploited via a direct request or by cloning a direct request and sending it to the vulnerable system. An attacker can leverage this vulnerability to obtain sensitive information or take complete control of the affected system.

The vulnerability has been assigned the following CVSS score of 8.4.

Private Cloud Management Platform is a cloud management platform that allows organizations to rapidly provision and scale virtualized consolidation of business critical data, applications, and services. It is built on the OpenStack platform and leverages the OpenStack APIs to provision, scale, and manage virtualized consolidation of business critical data, applications, and services.

Vulnerable Parts of the System

CVE-2022-2664 is one of the vulnerabilities that has been documented in Private Cloud Management Platform. The vulnerability was found by a researcher from Trustwave and allows an attacker to exploit the system via a direct request or by cloning a direct request and sending it to the vulnerable system.
The vulnerability has been assigned the following CVSS score of 8.4.

Vulnerability overview

An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable system which could result in the disclosure of sensitive information.

Vulnerability Characterization

The vulnerability is characterized by a memory corruption in the OpenStack API that results in an attacker gaining arbitrary code execution.
#1 Affected Software & Hardware
Apache CloudStack, A cloud management platform for virtualized consolidation of business critical data, applications, and services.

Vulnerable Parts of the Application

The vulnerability is located in the private cloud management platform.
An attacker can exploit this vulnerability by sending a specially crafted request to a predefined remote endpoint. The vulnerable parts of the application are processing remote requests and parsing the input data. An attacker must have administrator privileges on the application in order to exploit this vulnerability.

Timeline

Published on: 08/05/2022 11:15:00 UTC
Last modified on: 08/11/2022 18:46:00 UTC

References