(cloudstack) 01/04: Fix Unauthorised template/ISO list access to the domain/resource admins

Tue, 27 May 2025 07:15:51 -0700 

This is an automated email from the ASF dual-hosted git repository.

dahn pushed a commit to branch 4.19
in repository https://gitbox.apache.org/repos/asf/cloudstack.git

commit ebc1244098bdb666a5d76944407c8dd7c1ebec8c
Author: nvazquez <nicovazque...@gmail.com>
AuthorDate: Wed Apr 9 07:50:32 2025 -0300

    Fix Unauthorised template/ISO list access to the domain/resource admins
    
    In Apache CloudStack, while using the listTemplates and listIsos APIs, 
Domain Admins and Resource Admins can retrieve templates and ISOs outside their 
authorized scope when specifying the domainid parameter and the self or 
selfexecutable values in filter parameter. This results in unintended leakage 
of information related to those templates and ISOs. However, this issue does 
not affect accounts of the type User.
    
    Co-authored-by: bernardodemarco <bernardomg2...@gmail.com>
    Co-authored-by: nvazquez <nicovazque...@gmail.com>
---
 server/src/main/java/com/cloud/api/query/QueryManagerImpl.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java 
b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
index 1a03ea93dcb..d0f6fc0b16d 100644
--- a/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
@@ -4572,7 +4572,7 @@ public class QueryManagerImpl extends 
MutualExclusiveIdsManagerBase implements Q
             if (!permittedAccounts.isEmpty()) {
                 domain = 
_domainDao.findById(permittedAccounts.get(0).getDomainId());
             } else {
-                domain = _domainDao.findById(Domain.ROOT_DOMAIN);
+                domain = _domainDao.findById(caller.getDomainId());
             }
 
             setIdsListToSearchCriteria(sc, ids);

Reply via email to