Apache CloudStack version 4.2.0 discloses ACLs for other users via the ListNetworkACL API.
e2558f8e1a57d6a7ae05a0d821b22bdca9fa5596a2801b9fb5ea35d671b66dc3
Apache CloudStack versions 4.1.0, 4.1.1, and 4.2.0 have an issue where their virtual router accidentally allows additional access during firewall starting and stopping.
5b5cf380d6cfc431fd863cd1c2d7ab4745ff27387d4b7347bdadf934de63b176