Search criteria
48 vulnerabilities found for Apache CloudStack by Apache Software Foundation
CVE-2025-59302 (GCVE-0-2025-59302)
Vulnerability from cvelistv5 – Published: 2025-11-27 11:46 – Updated: 2025-12-02 04:55
VLAI?
Summary
In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.
* quotaTariffCreate
* quotaTariffUpdate
* createSecondaryStorageSelector
* updateSecondaryStorageSelector
* updateHost
* updateStorage
This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.
The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.18.0 , < 4.20.2
(semver)
Affected: 4.21.0 , < 4.22.0 (semver) |
Credits
Tianyi Cheng <chengtianyi@huawei.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-27T12:07:30.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/27/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T04:55:59.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.20.2",
"status": "affected",
"version": "4.18.0",
"versionType": "semver"
},
{
"lessThan": "4.22.0",
"status": "affected",
"version": "4.21.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tianyi Cheng \u003cchengtianyi@huawei.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Apache CloudStack improper control of generation of code (\u0027Code Injection\u0027) vulnerability is found in the following APIs which are accessible only to admins.\u003c/p\u003e\u003cul\u003e\u003cli\u003equotaTariffCreate\u003c/li\u003e\u003cli\u003equotaTariffUpdate\u003c/li\u003e\u003cli\u003ecreateSecondaryStorageSelector\u003c/li\u003e\u003cli\u003eupdateSecondaryStorageSelector\u003c/li\u003e\u003cli\u003eupdateHost\u003c/li\u003e\u003cli\u003eupdateStorage\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0.\u0026nbsp;Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.\u003c/p\u003e\u003cp\u003eThe fix introduces a new global configuration flag, \u003cstrong\u003e\u003ccode\u003ejs.interpretation.enabled\u003c/code\u003e\u003c/strong\u003e, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.\u003c/p\u003e"
}
],
"value": "In Apache CloudStack improper control of generation of code (\u0027Code Injection\u0027) vulnerability is found in the following APIs which are accessible only to admins.\n\n * quotaTariffCreate\n * quotaTariffUpdate\n * createSecondaryStorageSelector\n * updateSecondaryStorageSelector\n * updateHost\n * updateStorage\n\n\nThis issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0.\u00a0Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.\n\nThe fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T11:46:25.521Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Potential remote code execution on Javascript engine defined rules",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59302",
"datePublished": "2025-11-27T11:46:25.521Z",
"dateReserved": "2025-09-12T02:34:41.709Z",
"dateUpdated": "2025-12-02T04:55:59.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59454 (GCVE-0-2025-59454)
Vulnerability from cvelistv5 – Published: 2025-11-27 11:40 – Updated: 2025-11-28 15:41
VLAI?
Summary
In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL
- listNetworkACLs
- listResourceDetails
- listVirtualMachinesUsageHistory
- listVolumesUsageHistory
While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.
Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , < 4.20.2
(semver)
Affected: 4.21.0 , < 4.22.0 (semver) |
Credits
bugreporter@qq.com <https://github.com/ai-bugreporter/Credits>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-27T12:07:34.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/27/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:41:41.950318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:41:44.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.20.2",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.22.0",
"status": "affected",
"version": "4.21.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bugreporter@qq.com \u003chttps://github.com/ai-bugreporter/Credits\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Apache CloudStack, a gap in access control checks affected the APIs \u003cpre\u003e- createNetworkACL\n- listNetworkACLs\n- listResourceDetails\n- listVirtualMachinesUsageHistory\n- listVolumesUsageHistory\u003c/pre\u003e\u003cdiv\u003eWhile these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUsers are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.\u003c/div\u003e"
}
],
"value": "In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL\n- listNetworkACLs\n- listResourceDetails\n- listVirtualMachinesUsageHistory\n- listVolumesUsageHistory\n\nWhile these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T11:40:40.043Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Lack of user permission validation leading to data leak for few APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59454",
"datePublished": "2025-11-27T11:40:40.043Z",
"dateReserved": "2025-09-16T05:22:52.960Z",
"dateUpdated": "2025-11-28T15:41:44.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30675 (GCVE-0-2025-30675)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:12 – Updated: 2025-06-11 13:52
VLAI?
Summary
In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.
A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.
This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain.
Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.
Severity ?
4.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Bernardo De Marco Gonçalves <bernardomg2004@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:52:11.857369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T13:52:21.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bernardo De Marco Gon\u00e7alves \u003cbernardomg2004@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eIn Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the \u0027domainid\u0027 parameter along with the \u0027filter=self\u0027 or \u0027filter=selfexecutable\u0027 values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.\u0026nbsp;\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eThis vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller\u0027s scope rather than defaulting to the ROOT domain.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAffected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the \u0027domainid\u0027 parameter along with the \u0027filter=self\u0027 or \u0027filter=selfexecutable\u0027 values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.\n\nA malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.\u00a0\n\nThis vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller\u0027s scope rather than defaulting to the ROOT domain.\n\n\n\n\nAffected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:12:23.838Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30675",
"datePublished": "2025-06-10T23:12:23.838Z",
"dateReserved": "2025-03-25T07:15:12.974Z",
"dateUpdated": "2025-06-11T13:52:21.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22829 (GCVE-0-2025-22829)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:11 – Updated: 2025-06-11 13:53
VLAI?
Summary
The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.
Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.20.0.0 , < 4.20.1.0
(semver)
|
Credits
Fabricio Duarte <fabricio.duarte.jr@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:53:33.346984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T13:53:45.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fabricio Duarte \u003cfabricio.duarte.jr@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.\u003cbr\u003e\u003cbr\u003eQuota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue."
}
],
"value": "The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.\n\nQuota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:22:01.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-22829",
"datePublished": "2025-06-10T23:11:24.828Z",
"dateReserved": "2025-01-07T23:23:17.658Z",
"dateUpdated": "2025-06-11T13:53:45.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26521 (GCVE-0-2025-26521)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:08 – Updated: 2025-06-14 03:56
VLAI?
Summary
When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account.
CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details:
Account Name
kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID>
First Name
Kubernetes
Last Name
Service User
Account Type
0 (Normal User)
Role ID
<ID_OF_SERVICE_ROLE>
2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.
3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.
4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:
api-url = <API_URL> # For example: <MS_URL>/client/api
api-key = <SERVICE_USER_API_KEY>
secret-key = <SERVICE_USER_SECRET_KEY>
project-id = <PROJECT_ID>
Delete the existing secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret
Create a new secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config
Remove the temporary file:
rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.17.0.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Wei Zhou (weizhou@apache.org)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-26521",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:16.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.17.0.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wei Zhou (weizhou@apache.org)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\u003cbr\u003e\u003cbr\u003eCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.\u003ch3\u003eUpdating Existing Kubernetes Clusters in Projects\u003c/h3\u003eA \u003cb\u003eservice account\u003c/b\u003e should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:\u003ch3\u003e1. Create a New Service Account\u003c/h3\u003e\u003cdiv\u003eCreate a new account using the role \u003cb\u003e\"Project Kubernetes Service Role\"\u003c/b\u003e with the following details:\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003ekubeadmin-\u0026lt;FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eFirst Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eKubernetes\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eLast Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eService User\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Type\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e0 (Normal User)\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRole ID\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;ID_OF_SERVICE_ROLE\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/div\u003e\u003ch3\u003e2. Add the Service Account to the Project\u003c/h3\u003eAdd this account to the \u003cb\u003eproject\u003c/b\u003e where the Kubernetes cluster(s) are hosted.\u003cbr\u003e\u003ch3\u003e3. Generate API and Secret Keys\u003c/h3\u003eGenerate \u003cb\u003eAPI Key\u003c/b\u003e and \u003cb\u003eSecret Key\u003c/b\u003e for the \u003ci\u003edefault user\u003c/i\u003e of this account.\u003cbr\u003e\u003ch3\u003e4. Update the CloudStack Secret in the Kubernetes Cluster\u003c/h3\u003eCreate a temporary file `/tmp/cloud-config` with the following data:\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;api-url = \u0026lt;API_URL\u0026gt; \u0026nbsp; \u0026nbsp; # For example: \u0026lt;MS_URL\u0026gt;/client/api\u003cbr\u003e\u0026nbsp; api-key = \u0026lt;SERVICE_USER_API_KEY\u0026gt;\u003cbr\u003e\u0026nbsp; secret-key = \u0026lt;SERVICE_USER_SECRET_KEY\u0026gt;\u003cbr\u003e\u003c/tt\u003e\u003cdiv\u003e\u003ctt\u003e\u0026nbsp; project-id = \u0026lt;PROJECT_ID\u0026gt;\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eDelete the existing secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eCreate a new secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eRemove the temporary file:\u003cbr\u003e\u0026nbsp; \u0026nbsp; rm /tmp/cloud-config\u003ch3\u003e5. Regenerate API and Secret Keys\u003c/h3\u003eRegenerate the API and secret keys for the \u003cb\u003eoriginal user account\u003c/b\u003e that was used to create the Kubernetes cluster.\u003cbr\u003e"
}
],
"value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\n\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \"Project Kubernetes Service Role\" with the following details:\n\nAccount Name\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\nFirst Name\nKubernetes\nLast Name\nService User\nAccount Type\n0 (Normal User)\nRole ID\n\u003cID_OF_SERVICE_ROLE\u003e\n\n\n\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\n\u00a0\u00a0\u00a0api-url = \u003cAPI_URL\u003e \u00a0 \u00a0 # For example: \u003cMS_URL\u003e/client/api\n\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\n\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\n\u00a0 project-id = \u003cPROJECT_ID\u003e\n\n\n\n\nDelete the existing secret using kubectl and Kubernetes cluster config:\n\u00a0\u00a0\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\n\n\n\n\nCreate a new secret using kubectl and Kubernetes cluster config:\n\u00a0 \u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\n\n\n\n\nRemove the temporary file:\n\u00a0 \u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:08:48.602Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: CKS cluster in project exposes user API keys",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-26521",
"datePublished": "2025-06-10T23:08:48.602Z",
"dateReserved": "2025-02-12T09:12:55.769Z",
"dateUpdated": "2025-06-14T03:56:16.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47849 (GCVE-0-2025-47849)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:07 – Updated: 2025-06-14 03:56
VLAI?
Summary
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:
* Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.
* API privilege comparison: the caller must possess all privileges of the user they are operating on.
* Two new domain-level settings (restricted to the default admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Kevin Li <kli74@apple.com>
Scott Schmitz <sschmitz@ussignal.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:15.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Li \u003ckli74@apple.com\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Scott Schmitz \u003csschmitz@ussignal.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. \u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eTwo new domain-level settings (restricted to the default admin):\u0026nbsp;\u003cbr\u003e\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u0026nbsp;\u003cbr\u003e\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n\n\n * Strict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u00a0\n * API privilege comparison: the caller must possess all privileges of the user they are operating on.\u00a0\n * Two new domain-level settings (restricted to the default admin):\u00a0\n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u00a0\n\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:07:54.526Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Insecure access of user\u0027s API/Secret Keys in the same domain",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-47849",
"datePublished": "2025-06-10T23:07:54.526Z",
"dateReserved": "2025-05-12T08:45:45.595Z",
"dateUpdated": "2025-06-14T03:56:15.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47713 (GCVE-0-2025-47713)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:06 – Updated: 2025-06-14 03:56
VLAI?
Summary
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:
* Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.
* API privilege comparison: the caller must possess all privileges of the user they are operating on.
* Two new domain-level settings (restricted to the default Admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Scott Schmitz <sschmitz@ussignal.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:14.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Schmitz \u003csschmitz@ussignal.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s user-account role must be equal to or higher than the target user-account\u0027s role.\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on. \u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eTwo new domain-level settings (restricted to the default Admin): \u003cbr\u003e\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \u003cbr\u003e\u0026nbsp; \u0026nbsp;- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003c/span\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u00a0A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u00a0could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n * Strict validation on Role Type hierarchy: the caller\u0027s user-account role must be equal to or higher than the target user-account\u0027s role.\n * API privilege comparison: the caller must possess all privileges of the user they are operating on. \n * Two new domain-level settings (restricted to the default Admin): \n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \n\u00a0 \u00a0- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:06:45.585Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Domain Admin can reset Admin password in Root Domain",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-47713",
"datePublished": "2025-06-10T23:06:45.585Z",
"dateReserved": "2025-05-07T22:41:41.858Z",
"dateUpdated": "2025-06-14T03:56:14.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22828 (GCVE-0-2025-22828)
Vulnerability from cvelistv5 – Published: 2025-01-13 12:47 – Updated: 2025-01-13 19:02
VLAI?
Summary
CloudStack users can add and read comments (annotations) on resources they are authorised to access.
Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.
An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.
This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.
CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.16.0 , ≤ *
(semver)
|
Credits
Alex Perrakis <alexperrakis1@gmail.com>
Efstratios Chatzoglou <efchatzoglou@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T17:24:45.749950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T17:25:25.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-01-13T19:02:32.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/13/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "4.16.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Alex Perrakis \u003calexperrakis1@gmail.com\u003e"
},
{
"lang": "en",
"type": "reporter",
"value": "Efstratios Chatzoglou \u003cefchatzoglou@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCloudStack users can add and read comments (annotations) on resources they are authorised to access.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn\u0027t same as access to CloudStack resources, making this issue of very low severity and general low impact.\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "CloudStack users can add and read comments (annotations) on resources they are authorised to access.\u00a0\n\nDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.\u00a0\n\nAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.\u00a0\n\nThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn\u0027t same as access to CloudStack resources, making this issue of very low severity and general low impact.\n\n\nCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T12:47:51.619Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised access to annotations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-22828",
"datePublished": "2025-01-13T12:47:51.619Z",
"dateReserved": "2025-01-07T22:13:56.892Z",
"dateUpdated": "2025-01-13T19:02:32.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50386 (GCVE-0-2024-50386)
Vulnerability from cvelistv5 – Published: 2024-11-12 14:34 – Updated: 2024-11-12 20:06
VLAI?
Summary
Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue.
Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done
For checking the whole template/volume features of each disk, operators can run the following command:
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
Severity ?
8.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , ≤ 4.18.2.4
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.2 (semver) |
Credits
Kiran Chavala <kiranchavala@apache.org>
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cloudstack",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.18.2.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:06.274965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:10:15.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-12T17:02:47.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kiran Chavala \u003ckiranchavala@apache.org\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \u003cbr\u003e\u003cbr\u003e\u003c/span\u003eAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. H\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eowever, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cbr\u003eFor checking the whole template/volume features of each disk, operators can run the following command:\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \n\nAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T20:06:52.571Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-50386",
"datePublished": "2024-11-12T14:34:08.537Z",
"dateReserved": "2024-10-23T21:07:56.466Z",
"dateUpdated": "2024-11-12T20:06:52.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45219 (GCVE-0-2024-45219)
Vulnerability from cvelistv5 – Published: 2024-10-16 07:55 – Updated: 2024-10-16 14:48
VLAI?
Summary
Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done
The command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.
For checking the whole template/volume features of each disk, operators can run the following command:
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
Severity ?
8.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , ≤ 4.18.2.3
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.1 (semver) |
Credits
Daniel Augusto Veronezi Salvador <gutoveronezi@apache.org>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-16T08:03:38.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_cloudstack",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:45:46.172559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:48:18.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Daniel Augusto Veronezi Salvador \u003cgutoveronezi@apache.org\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. \u003cbr\u003e\u003cbr\u003e\u003c/span\u003eAdditionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cbr\u003eThe command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\u003cbr\u003e\u003cbr\u003eFor checking the whole template/volume features of each disk, operators can run the following command:\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. \n\nAdditionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nThe command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:55:02.534Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch",
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45219",
"datePublished": "2024-10-16T07:55:02.534Z",
"dateReserved": "2024-08-23T20:40:33.349Z",
"dateUpdated": "2024-10-16T14:48:18.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45462 (GCVE-0-2024-45462)
Vulnerability from cvelistv5 – Published: 2024-10-16 07:53 – Updated: 2024-10-16 14:54
VLAI?
Summary
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.15.1.0 , ≤ 4.18.2.3
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.1 (semver) |
Credits
Arthur Souza
Felipe Olivaes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-16T08:03:42.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_cloudstack",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:51:40.647741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:54:34.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Arthur Souza"
},
{
"lang": "en",
"type": "reporter",
"value": "Felipe Olivaes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user\u0027s browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user\u0027s browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:53:40.129Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Incomplete session invalidation on web interface logout",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45462",
"datePublished": "2024-10-16T07:53:40.129Z",
"dateReserved": "2024-08-29T08:57:32.948Z",
"dateUpdated": "2024-10-16T14:54:34.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45693 (GCVE-0-2024-45693)
Vulnerability from cvelistv5 – Published: 2024-10-16 07:52 – Updated: 2024-10-16 14:57
VLAI?
Summary
Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.
This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.15.1.0 , ≤ 4.18.2.3
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.1 (semver) |
Credits
Arthur Souza
Felipe Olivaes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-16T08:03:43.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cloudstack",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:55:50.101049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:57:41.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Arthur Souza"
},
{
"lang": "en",
"type": "reporter",
"value": "Felipe Olivaes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers logged into the Apache CloudStack\u0027s web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to account takeover,\u0026nbsp;\u003c/span\u003edisruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.\u003c/p\u003e\u003cp\u003eThis issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Users logged into the Apache CloudStack\u0027s web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead\u00a0to account takeover,\u00a0disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.\n\nThis issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:52:25.816Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Request origin validation bypass makes account takeover possible",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45693",
"datePublished": "2024-10-16T07:52:25.816Z",
"dateReserved": "2024-09-05T00:23:11.078Z",
"dateUpdated": "2024-10-16T14:57:41.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42062 (GCVE-0-2024-42062)
Vulnerability from cvelistv5 – Published: 2024-08-07 07:17 – Updated: 2024-09-03 19:58
VLAI?
Summary
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.
Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , ≤ 4.18.2.2
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.0 (semver) |
Credits
Fabricio Duarte
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:03:17.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/06/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "cloudstack",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.19.1.0",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.18.2.2",
"status": "affected",
"version": "4.10.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T18:16:06.919266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:58:27.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.2",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.0",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fabricio Duarte"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDue to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.\u0026nbsp;\u003c/span\u003eAn attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edenial of service\u003c/span\u003e\u0026nbsp;and availability of CloudStack managed infrastructure.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.\u0026nbsp;Additionally, all account-user API and secret keys should be regenerated.\u003cbr\u003e"
}
],
"value": "CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can\u00a0generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.\u00a0Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.\u00a0An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,\u00a0denial of service\u00a0and availability of CloudStack managed infrastructure.\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.\u00a0Additionally, all account-user API and secret keys should be regenerated."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T13:44:08.239Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: User Key Exposure to Domain Admins",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-42062",
"datePublished": "2024-08-07T07:17:08.811Z",
"dateReserved": "2024-07-29T11:57:03.344Z",
"dateUpdated": "2024-09-03T19:58:27.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42222 (GCVE-0-2024-42222)
Vulnerability from cvelistv5 – Published: 2024-08-07 07:16 – Updated: 2025-03-14 15:57
VLAI?
Summary
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.
Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.19.1.0
|
Credits
Christian Gross of Netcloud AG
Midhun Jose
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:03:19.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/06/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T14:57:20.655680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T15:57:32.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "4.19.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Gross of Netcloud AG"
},
{
"lang": "en",
"type": "finder",
"value": "Midhun Jose"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eIn Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.\u003cbr\u003e\u003cbr\u003eAffected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.\n\nAffected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T07:16:13.765Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/apache/cloudstack/issues/9456"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised Network List Access",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-42222",
"datePublished": "2024-08-07T07:16:13.765Z",
"dateReserved": "2024-07-30T05:26:40.956Z",
"dateUpdated": "2025-03-14T15:57:32.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41107 (GCVE-0-2024-41107)
Vulnerability from cvelistv5 – Published: 2024-07-19 10:19 – Updated: 2025-03-19 18:31
VLAI?
Summary
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.
Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
Severity ?
No CVSS data available.
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.5.0 , ≤ 4.18.2.1
(semver)
Affected: 4.19.0.0 , ≤ 4.19.0.2 (semver) |
Credits
Christian Gross of Netcloud AG
Damon Smith of Apple Services Engineering Security
Adam Pond of Apple Services Engineering Security
Terry Thibault of Apple Services Engineering Security
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_cloudstack",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.1",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.19.0.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:40:52.301987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:31:21.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/apache/cloudstack/issues/4519"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.1",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.0.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Gross of Netcloud AG"
},
{
"lang": "en",
"type": "finder",
"value": "Damon Smith of Apple Services Engineering Security"
},
{
"lang": "en",
"type": "finder",
"value": "Adam Pond of Apple Services Engineering Security"
},
{
"lang": "en",
"type": "finder",
"value": "Terry Thibault of Apple Services Engineering Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eknown or guessed username and other user details of a SAML-enabled CloudStack user-account\u003c/span\u003e.\u0026nbsp;In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAffected users are recommended to disable the SAML authentication plugin by setting the\u0026nbsp;\"saml2.enabled\" global setting to \"false\", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account.\u00a0In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.\n\nAffected users are recommended to disable the SAML authentication plugin by setting the\u00a0\"saml2.enabled\" global setting to \"false\", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T10:20:06.990Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/apache/cloudstack/issues/4519"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache CloudStack: SAML Signature Exclusion",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41107",
"datePublished": "2024-07-19T10:19:53.995Z",
"dateReserved": "2024-07-12T22:43:29.015Z",
"dateUpdated": "2025-03-19T18:31:21.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59302 (GCVE-0-2025-59302)
Vulnerability from nvd – Published: 2025-11-27 11:46 – Updated: 2025-12-02 04:55
VLAI?
Summary
In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.
* quotaTariffCreate
* quotaTariffUpdate
* createSecondaryStorageSelector
* updateSecondaryStorageSelector
* updateHost
* updateStorage
This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.
The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.18.0 , < 4.20.2
(semver)
Affected: 4.21.0 , < 4.22.0 (semver) |
Credits
Tianyi Cheng <chengtianyi@huawei.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-27T12:07:30.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/27/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T04:55:59.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.20.2",
"status": "affected",
"version": "4.18.0",
"versionType": "semver"
},
{
"lessThan": "4.22.0",
"status": "affected",
"version": "4.21.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tianyi Cheng \u003cchengtianyi@huawei.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Apache CloudStack improper control of generation of code (\u0027Code Injection\u0027) vulnerability is found in the following APIs which are accessible only to admins.\u003c/p\u003e\u003cul\u003e\u003cli\u003equotaTariffCreate\u003c/li\u003e\u003cli\u003equotaTariffUpdate\u003c/li\u003e\u003cli\u003ecreateSecondaryStorageSelector\u003c/li\u003e\u003cli\u003eupdateSecondaryStorageSelector\u003c/li\u003e\u003cli\u003eupdateHost\u003c/li\u003e\u003cli\u003eupdateStorage\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0.\u0026nbsp;Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.\u003c/p\u003e\u003cp\u003eThe fix introduces a new global configuration flag, \u003cstrong\u003e\u003ccode\u003ejs.interpretation.enabled\u003c/code\u003e\u003c/strong\u003e, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.\u003c/p\u003e"
}
],
"value": "In Apache CloudStack improper control of generation of code (\u0027Code Injection\u0027) vulnerability is found in the following APIs which are accessible only to admins.\n\n * quotaTariffCreate\n * quotaTariffUpdate\n * createSecondaryStorageSelector\n * updateSecondaryStorageSelector\n * updateHost\n * updateStorage\n\n\nThis issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0.\u00a0Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.\n\nThe fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T11:46:25.521Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Potential remote code execution on Javascript engine defined rules",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59302",
"datePublished": "2025-11-27T11:46:25.521Z",
"dateReserved": "2025-09-12T02:34:41.709Z",
"dateUpdated": "2025-12-02T04:55:59.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59454 (GCVE-0-2025-59454)
Vulnerability from nvd – Published: 2025-11-27 11:40 – Updated: 2025-11-28 15:41
VLAI?
Summary
In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL
- listNetworkACLs
- listResourceDetails
- listVirtualMachinesUsageHistory
- listVolumesUsageHistory
While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.
Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , < 4.20.2
(semver)
Affected: 4.21.0 , < 4.22.0 (semver) |
Credits
bugreporter@qq.com <https://github.com/ai-bugreporter/Credits>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-27T12:07:34.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/27/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:41:41.950318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:41:44.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.20.2",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.22.0",
"status": "affected",
"version": "4.21.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "bugreporter@qq.com \u003chttps://github.com/ai-bugreporter/Credits\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Apache CloudStack, a gap in access control checks affected the APIs \u003cpre\u003e- createNetworkACL\n- listNetworkACLs\n- listResourceDetails\n- listVirtualMachinesUsageHistory\n- listVolumesUsageHistory\u003c/pre\u003e\u003cdiv\u003eWhile these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUsers are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.\u003c/div\u003e"
}
],
"value": "In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL\n- listNetworkACLs\n- listResourceDetails\n- listVirtualMachinesUsageHistory\n- listVolumesUsageHistory\n\nWhile these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-27T11:40:40.043Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Lack of user permission validation leading to data leak for few APIs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59454",
"datePublished": "2025-11-27T11:40:40.043Z",
"dateReserved": "2025-09-16T05:22:52.960Z",
"dateUpdated": "2025-11-28T15:41:44.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30675 (GCVE-0-2025-30675)
Vulnerability from nvd – Published: 2025-06-10 23:12 – Updated: 2025-06-11 13:52
VLAI?
Summary
In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.
A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.
This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain.
Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.
Severity ?
4.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Bernardo De Marco Gonçalves <bernardomg2004@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:52:11.857369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T13:52:21.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bernardo De Marco Gon\u00e7alves \u003cbernardomg2004@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eIn Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the \u0027domainid\u0027 parameter along with the \u0027filter=self\u0027 or \u0027filter=selfexecutable\u0027 values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.\u0026nbsp;\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eThis vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller\u0027s scope rather than defaulting to the ROOT domain.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAffected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the \u0027domainid\u0027 parameter along with the \u0027filter=self\u0027 or \u0027filter=selfexecutable\u0027 values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.\n\nA malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.\u00a0\n\nThis vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller\u0027s scope rather than defaulting to the ROOT domain.\n\n\n\n\nAffected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:12:23.838Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30675",
"datePublished": "2025-06-10T23:12:23.838Z",
"dateReserved": "2025-03-25T07:15:12.974Z",
"dateUpdated": "2025-06-11T13:52:21.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22829 (GCVE-0-2025-22829)
Vulnerability from nvd – Published: 2025-06-10 23:11 – Updated: 2025-06-11 13:53
VLAI?
Summary
The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.
Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.20.0.0 , < 4.20.1.0
(semver)
|
Credits
Fabricio Duarte <fabricio.duarte.jr@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:53:33.346984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T13:53:45.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fabricio Duarte \u003cfabricio.duarte.jr@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.\u003cbr\u003e\u003cbr\u003eQuota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue."
}
],
"value": "The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.\n\nQuota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:22:01.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-22829",
"datePublished": "2025-06-10T23:11:24.828Z",
"dateReserved": "2025-01-07T23:23:17.658Z",
"dateUpdated": "2025-06-11T13:53:45.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26521 (GCVE-0-2025-26521)
Vulnerability from nvd – Published: 2025-06-10 23:08 – Updated: 2025-06-14 03:56
VLAI?
Summary
When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account.
CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details:
Account Name
kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID>
First Name
Kubernetes
Last Name
Service User
Account Type
0 (Normal User)
Role ID
<ID_OF_SERVICE_ROLE>
2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.
3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.
4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:
api-url = <API_URL> # For example: <MS_URL>/client/api
api-key = <SERVICE_USER_API_KEY>
secret-key = <SERVICE_USER_SECRET_KEY>
project-id = <PROJECT_ID>
Delete the existing secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret
Create a new secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config
Remove the temporary file:
rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.17.0.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Wei Zhou (weizhou@apache.org)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-26521",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:16.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.17.0.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wei Zhou (weizhou@apache.org)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\u003cbr\u003e\u003cbr\u003eCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.\u003ch3\u003eUpdating Existing Kubernetes Clusters in Projects\u003c/h3\u003eA \u003cb\u003eservice account\u003c/b\u003e should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:\u003ch3\u003e1. Create a New Service Account\u003c/h3\u003e\u003cdiv\u003eCreate a new account using the role \u003cb\u003e\"Project Kubernetes Service Role\"\u003c/b\u003e with the following details:\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003ekubeadmin-\u0026lt;FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eFirst Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eKubernetes\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eLast Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eService User\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Type\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e0 (Normal User)\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRole ID\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;ID_OF_SERVICE_ROLE\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/div\u003e\u003ch3\u003e2. Add the Service Account to the Project\u003c/h3\u003eAdd this account to the \u003cb\u003eproject\u003c/b\u003e where the Kubernetes cluster(s) are hosted.\u003cbr\u003e\u003ch3\u003e3. Generate API and Secret Keys\u003c/h3\u003eGenerate \u003cb\u003eAPI Key\u003c/b\u003e and \u003cb\u003eSecret Key\u003c/b\u003e for the \u003ci\u003edefault user\u003c/i\u003e of this account.\u003cbr\u003e\u003ch3\u003e4. Update the CloudStack Secret in the Kubernetes Cluster\u003c/h3\u003eCreate a temporary file `/tmp/cloud-config` with the following data:\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;api-url = \u0026lt;API_URL\u0026gt; \u0026nbsp; \u0026nbsp; # For example: \u0026lt;MS_URL\u0026gt;/client/api\u003cbr\u003e\u0026nbsp; api-key = \u0026lt;SERVICE_USER_API_KEY\u0026gt;\u003cbr\u003e\u0026nbsp; secret-key = \u0026lt;SERVICE_USER_SECRET_KEY\u0026gt;\u003cbr\u003e\u003c/tt\u003e\u003cdiv\u003e\u003ctt\u003e\u0026nbsp; project-id = \u0026lt;PROJECT_ID\u0026gt;\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eDelete the existing secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eCreate a new secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eRemove the temporary file:\u003cbr\u003e\u0026nbsp; \u0026nbsp; rm /tmp/cloud-config\u003ch3\u003e5. Regenerate API and Secret Keys\u003c/h3\u003eRegenerate the API and secret keys for the \u003cb\u003eoriginal user account\u003c/b\u003e that was used to create the Kubernetes cluster.\u003cbr\u003e"
}
],
"value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\n\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \"Project Kubernetes Service Role\" with the following details:\n\nAccount Name\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\nFirst Name\nKubernetes\nLast Name\nService User\nAccount Type\n0 (Normal User)\nRole ID\n\u003cID_OF_SERVICE_ROLE\u003e\n\n\n\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\n\u00a0\u00a0\u00a0api-url = \u003cAPI_URL\u003e \u00a0 \u00a0 # For example: \u003cMS_URL\u003e/client/api\n\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\n\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\n\u00a0 project-id = \u003cPROJECT_ID\u003e\n\n\n\n\nDelete the existing secret using kubectl and Kubernetes cluster config:\n\u00a0\u00a0\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\n\n\n\n\nCreate a new secret using kubectl and Kubernetes cluster config:\n\u00a0 \u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\n\n\n\n\nRemove the temporary file:\n\u00a0 \u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:08:48.602Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: CKS cluster in project exposes user API keys",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-26521",
"datePublished": "2025-06-10T23:08:48.602Z",
"dateReserved": "2025-02-12T09:12:55.769Z",
"dateUpdated": "2025-06-14T03:56:16.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47849 (GCVE-0-2025-47849)
Vulnerability from nvd – Published: 2025-06-10 23:07 – Updated: 2025-06-14 03:56
VLAI?
Summary
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:
* Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.
* API privilege comparison: the caller must possess all privileges of the user they are operating on.
* Two new domain-level settings (restricted to the default admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Kevin Li <kli74@apple.com>
Scott Schmitz <sschmitz@ussignal.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:15.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Li \u003ckli74@apple.com\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Scott Schmitz \u003csschmitz@ussignal.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. \u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eTwo new domain-level settings (restricted to the default admin):\u0026nbsp;\u003cbr\u003e\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u0026nbsp;\u003cbr\u003e\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n\n\n * Strict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u00a0\n * API privilege comparison: the caller must possess all privileges of the user they are operating on.\u00a0\n * Two new domain-level settings (restricted to the default admin):\u00a0\n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u00a0\n\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:07:54.526Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Insecure access of user\u0027s API/Secret Keys in the same domain",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-47849",
"datePublished": "2025-06-10T23:07:54.526Z",
"dateReserved": "2025-05-12T08:45:45.595Z",
"dateUpdated": "2025-06-14T03:56:15.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47713 (GCVE-0-2025-47713)
Vulnerability from nvd – Published: 2025-06-10 23:06 – Updated: 2025-06-14 03:56
VLAI?
Summary
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:
* Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.
* API privilege comparison: the caller must possess all privileges of the user they are operating on.
* Two new domain-level settings (restricted to the default Admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Scott Schmitz <sschmitz@ussignal.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:14.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Schmitz \u003csschmitz@ussignal.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s user-account role must be equal to or higher than the target user-account\u0027s role.\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on. \u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eTwo new domain-level settings (restricted to the default Admin): \u003cbr\u003e\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \u003cbr\u003e\u0026nbsp; \u0026nbsp;- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003c/span\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u00a0A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u00a0could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n * Strict validation on Role Type hierarchy: the caller\u0027s user-account role must be equal to or higher than the target user-account\u0027s role.\n * API privilege comparison: the caller must possess all privileges of the user they are operating on. \n * Two new domain-level settings (restricted to the default Admin): \n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \n\u00a0 \u00a0- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:06:45.585Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Domain Admin can reset Admin password in Root Domain",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-47713",
"datePublished": "2025-06-10T23:06:45.585Z",
"dateReserved": "2025-05-07T22:41:41.858Z",
"dateUpdated": "2025-06-14T03:56:14.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22828 (GCVE-0-2025-22828)
Vulnerability from nvd – Published: 2025-01-13 12:47 – Updated: 2025-01-13 19:02
VLAI?
Summary
CloudStack users can add and read comments (annotations) on resources they are authorised to access.
Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.
An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.
This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.
CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.16.0 , ≤ *
(semver)
|
Credits
Alex Perrakis <alexperrakis1@gmail.com>
Efstratios Chatzoglou <efchatzoglou@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T17:24:45.749950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T17:25:25.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-01-13T19:02:32.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/13/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "4.16.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Alex Perrakis \u003calexperrakis1@gmail.com\u003e"
},
{
"lang": "en",
"type": "reporter",
"value": "Efstratios Chatzoglou \u003cefchatzoglou@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eCloudStack users can add and read comments (annotations) on resources they are authorised to access.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.\u0026nbsp;\u003c/div\u003e\u003cdiv\u003eThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn\u0027t same as access to CloudStack resources, making this issue of very low severity and general low impact.\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "CloudStack users can add and read comments (annotations) on resources they are authorised to access.\u00a0\n\nDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.\u00a0\n\nAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.\u00a0\n\nThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn\u0027t same as access to CloudStack resources, making this issue of very low severity and general low impact.\n\n\nCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T12:47:51.619Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised access to annotations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-22828",
"datePublished": "2025-01-13T12:47:51.619Z",
"dateReserved": "2025-01-07T22:13:56.892Z",
"dateUpdated": "2025-01-13T19:02:32.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50386 (GCVE-0-2024-50386)
Vulnerability from nvd – Published: 2024-11-12 14:34 – Updated: 2024-11-12 20:06
VLAI?
Summary
Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue.
Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done
For checking the whole template/volume features of each disk, operators can run the following command:
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
Severity ?
8.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , ≤ 4.18.2.4
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.2 (semver) |
Credits
Kiran Chavala <kiranchavala@apache.org>
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cloudstack",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.18.2.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T16:07:06.274965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T16:10:15.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-12T17:02:47.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/12/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.4",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Kiran Chavala \u003ckiranchavala@apache.org\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \u003cbr\u003e\u003cbr\u003e\u003c/span\u003eAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. H\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eowever, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cbr\u003eFor checking the whole template/volume features of each disk, operators can run the following command:\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \n\nAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T20:06:52.571Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-50386",
"datePublished": "2024-11-12T14:34:08.537Z",
"dateReserved": "2024-10-23T21:07:56.466Z",
"dateUpdated": "2024-11-12T20:06:52.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45219 (GCVE-0-2024-45219)
Vulnerability from nvd – Published: 2024-10-16 07:55 – Updated: 2024-10-16 14:48
VLAI?
Summary
Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done
The command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.
For checking the whole template/volume features of each disk, operators can run the following command:
for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done
Severity ?
8.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , ≤ 4.18.2.3
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.1 (semver) |
Credits
Daniel Augusto Veronezi Salvador <gutoveronezi@apache.org>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-16T08:03:38.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/2"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_cloudstack",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:45:46.172559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:48:18.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Daniel Augusto Veronezi Salvador \u003cgutoveronezi@apache.org\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. \u003cbr\u003e\u003cbr\u003e\u003c/span\u003eAdditionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cbr\u003eThe command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\u003cbr\u003e\u003cbr\u003eFor checking the whole template/volume features of each disk, operators can run the following command:\u003cbr\u003e\u003c/div\u003e\u003cblockquote\u003efor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done\u003c/blockquote\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. \n\nAdditionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nThe command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:55:02.534Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch",
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45219",
"datePublished": "2024-10-16T07:55:02.534Z",
"dateReserved": "2024-08-23T20:40:33.349Z",
"dateUpdated": "2024-10-16T14:48:18.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45462 (GCVE-0-2024-45462)
Vulnerability from nvd – Published: 2024-10-16 07:53 – Updated: 2024-10-16 14:54
VLAI?
Summary
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Severity ?
6.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.15.1.0 , ≤ 4.18.2.3
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.1 (semver) |
Credits
Arthur Souza
Felipe Olivaes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-16T08:03:42.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/4"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_cloudstack",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45462",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:51:40.647741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:54:34.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Arthur Souza"
},
{
"lang": "en",
"type": "reporter",
"value": "Felipe Olivaes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user\u0027s browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user\u0027s browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:53:40.129Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Incomplete session invalidation on web interface logout",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45462",
"datePublished": "2024-10-16T07:53:40.129Z",
"dateReserved": "2024-08-29T08:57:32.948Z",
"dateUpdated": "2024-10-16T14:54:34.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45693 (GCVE-0-2024-45693)
Vulnerability from nvd – Published: 2024-10-16 07:52 – Updated: 2024-10-16 14:57
VLAI?
Summary
Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.
This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Severity ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.15.1.0 , ≤ 4.18.2.3
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.1 (semver) |
Credits
Arthur Souza
Felipe Olivaes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-16T08:03:43.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cloudstack",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:55:50.101049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:57:41.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.15.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Arthur Souza"
},
{
"lang": "en",
"type": "reporter",
"value": "Felipe Olivaes"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers logged into the Apache CloudStack\u0027s web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to account takeover,\u0026nbsp;\u003c/span\u003edisruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.\u003c/p\u003e\u003cp\u003eThis issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u003c/span\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Users logged into the Apache CloudStack\u0027s web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead\u00a0to account takeover,\u00a0disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.\n\nThis issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:52:25.816Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Request origin validation bypass makes account takeover possible",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45693",
"datePublished": "2024-10-16T07:52:25.816Z",
"dateReserved": "2024-09-05T00:23:11.078Z",
"dateUpdated": "2024-10-16T14:57:41.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42062 (GCVE-0-2024-42062)
Vulnerability from nvd – Published: 2024-08-07 07:17 – Updated: 2024-09-03 19:58
VLAI?
Summary
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.
Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
Severity ?
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , ≤ 4.18.2.2
(semver)
Affected: 4.19.0.0 , ≤ 4.19.1.0 (semver) |
Credits
Fabricio Duarte
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:03:17.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/06/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "cloudstack",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.19.1.0",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.18.2.2",
"status": "affected",
"version": "4.10.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T18:16:06.919266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:58:27.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.2",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.0",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fabricio Duarte"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDue to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.\u0026nbsp;\u003c/span\u003eAn attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edenial of service\u003c/span\u003e\u0026nbsp;and availability of CloudStack managed infrastructure.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.\u0026nbsp;Additionally, all account-user API and secret keys should be regenerated.\u003cbr\u003e"
}
],
"value": "CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can\u00a0generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.\u00a0Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.\u00a0An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,\u00a0denial of service\u00a0and availability of CloudStack managed infrastructure.\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.\u00a0Additionally, all account-user API and secret keys should be regenerated."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T13:44:08.239Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: User Key Exposure to Domain Admins",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-42062",
"datePublished": "2024-08-07T07:17:08.811Z",
"dateReserved": "2024-07-29T11:57:03.344Z",
"dateUpdated": "2024-09-03T19:58:27.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42222 (GCVE-0-2024-42222)
Vulnerability from nvd – Published: 2024-08-07 07:16 – Updated: 2025-03-14 15:57
VLAI?
Summary
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.
Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.19.1.0
|
Credits
Christian Gross of Netcloud AG
Midhun Jose
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:03:19.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/06/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T14:57:20.655680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T15:57:32.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "4.19.1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Gross of Netcloud AG"
},
{
"lang": "en",
"type": "finder",
"value": "Midhun Jose"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eIn Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.\u003cbr\u003e\u003cbr\u003eAffected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.\n\nAffected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T07:16:13.765Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/apache/cloudstack/issues/9456"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised Network List Access",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-42222",
"datePublished": "2024-08-07T07:16:13.765Z",
"dateReserved": "2024-07-30T05:26:40.956Z",
"dateUpdated": "2025-03-14T15:57:32.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41107 (GCVE-0-2024-41107)
Vulnerability from nvd – Published: 2024-07-19 10:19 – Updated: 2025-03-19 18:31
VLAI?
Summary
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.
Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
Severity ?
No CVSS data available.
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.5.0 , ≤ 4.18.2.1
(semver)
Affected: 4.19.0.0 , ≤ 4.19.0.2 (semver) |
Credits
Christian Gross of Netcloud AG
Damon Smith of Apple Services Engineering Security
Adam Pond of Apple Services Engineering Security
Terry Thibault of Apple Services Engineering Security
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_cloudstack",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.1",
"status": "affected",
"version": "4.5.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.19.0.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:40:52.301987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:31:21.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107"
},
{
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/apache/cloudstack/issues/4519"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.1",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.0.2",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christian Gross of Netcloud AG"
},
{
"lang": "en",
"type": "finder",
"value": "Damon Smith of Apple Services Engineering Security"
},
{
"lang": "en",
"type": "finder",
"value": "Adam Pond of Apple Services Engineering Security"
},
{
"lang": "en",
"type": "finder",
"value": "Terry Thibault of Apple Services Engineering Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eknown or guessed username and other user details of a SAML-enabled CloudStack user-account\u003c/span\u003e.\u0026nbsp;In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAffected users are recommended to disable the SAML authentication plugin by setting the\u0026nbsp;\"saml2.enabled\" global setting to \"false\", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account.\u00a0In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.\n\nAffected users are recommended to disable the SAML authentication plugin by setting the\u00a0\"saml2.enabled\" global setting to \"false\", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T10:20:06.990Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/apache/cloudstack/issues/4519"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/19/2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache CloudStack: SAML Signature Exclusion",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-41107",
"datePublished": "2024-07-19T10:19:53.995Z",
"dateReserved": "2024-07-12T22:43:29.015Z",
"dateUpdated": "2025-03-19T18:31:21.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}