Apache CloudStack: Incomplete session invalidation on web interface logout

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

不充分的会话过期机制

Apache CloudStack 代码问题漏洞

Apache CloudStack是美国阿帕奇（Apache）基金会的一套基础架构即服务（IaaS）云计算平台。该平台主要用于部署和管理大型虚拟机网络。 Apache CloudStack 4.15.10到4.18.2.3版本和4.19.0.0到4.19.1.1版本存在代码问题漏洞，该漏洞源于用户登出后会话未完全失效，可能导致拥有用户浏览器访问权限的攻击者在会话过期前访问已登出用户账户的资源。

N/A

N/A