Improper Access Control in cloudexplorer-dev/cloudexplorer-lite

Vulnerability

An improper access control vulnerability exists in the CloudExplorer Lite repository prior to version v1.1.0 [1]. The flaw resides in the services/vm-service/backend/src/main/java/com/fit2cloud/provider/impl/huawei/api file, where a lack of proper authorization checks on certain API endpoints allows unauthorized users to access restricted functionality [2]. Affected versions include all releases before v1.1.0 [1].

Exploitation

An attacker can exploit this vulnerability by making crafted HTTP requests to vulnerable endpoints without requiring valid authentication or elevated privileges. No user interaction is needed for exploitation [2]. The attacker must have network access to the affected instance [2].

Impact

Successful exploitation allows an attacker to bypass access controls and perform actions intended for authenticated users only, leading to potential information disclosure and unauthorized data manipulation [2]. The specific impact depends on the attacker's ability to interact with internal services exposed by the vulnerability [1].

Mitigation

The vulnerability is fixed in version v1.1.0 of CloudExplorer Lite [1]. Users should upgrade to v1.1.0 or later immediately. As of the reference publication date (May 2023), no known workaround is available for unpatched versions [2].