Unauthenticated API Request show Cloudstack Version

[mredaelli02]

ISSUE TYPE

• Other

COMPONENT NAME

API

CLOUDSTACK VERSION

ALL

CONFIGURATION

advanced networking

SUMMARY

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
https://cloud.example.com/client/api?command=samlSso
The return error code show the Cloudstack Version that is considered as a CWE-200 level CVSS-2

<loginresponse cloud-stack-version="4.19.0.1">
    <errorcode>531
    </error code>
    <errortext>Your authenticated user is not authorized for SAML Single Sign-On, please contact
        your administrator</errortext>
</loginresponse>
Kali Linux Kali Tools Kali Docs Kali Forums Kali NetHunter
Exploit-DB Goo
This XML file does not appear to have any style information associated with it. The
-
<errorresponse cloud-stack-version="4.19.0.1">
    <errorcode>401</errorcode> -<errortext>
        unable to verify user credentials and/or request signature </errortext>
</errorresponse>

STEPS TO REPRODUCE

Request an unauthenticated API Request to the server

EXPECTED RESULTS

Error code witout sesible information

ACTUAL RESULTS

Return Cloudstack Version

[gp-santos]

Hi, @mredaelli02 !

Thanks for reporting it, it's great to see interest in the topic.

I'm working on adding two global configurations (expose.cloudstack.version.api.xml.response and expose.cloudstack.version.api.list.capabilities), I'll add an authenticated check as well to deal with this.

I'm finishing testing and will open a PR soon. Would it be alright if I assign myself this issue?

[gp-santos]

@mredaelli02 Sorry it took so long, it's here (#10575) if you want to check it out.

[mredaelli02]

Hi @gpordeus Thank you so much for the update.

[nvazquez]

Hi @mredaelli02 @gpordeus, is there any pending work on PR #10575? I'll be starting a new round of packaging and tests, is it good to be merged after successful test results?