Apache CloudStack security advisories
Security information for Apache CloudStack
Reporting
Do you want disclose a potential security issue for Apache CloudStack? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access
CVE-2026-25199 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-08T12:23:04.078Z
Affected
- Apache CloudStack from 4.21.0 through 4.22.0
Description
proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine.proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details.References
Credits
- Sander Grendelman sander.grendelman@axians.com (reporter)
Unauthenticated Command Injection in Direct Download Templates
CVE-2026-25077 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-08T12:21:33.362Z
Affected
- Apache CloudStack from 4.11.0 through 4.20.2.0
- Apache CloudStack from 4.21.0.0 through 4.22.0.0
Description
Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
References
Credits
- Reza at HazardLab (https://hazardlab.ninja) (reporter)
Domain/account resources limits not honored
CVE-2025-69233 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-08T12:19:36.271Z
Affected
- Apache CloudStack from 4.0.0 through 4.20.2.0
- Apache CloudStack from 4.21.0.0 through 4.22.0.0
Description
Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure’s resources and lead to denial of service conditions.
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
References
Credits
- Fernando Oliveira ferolicar82@gmail.com (reporter)
- Gustavo Viana viana.gust@gmail.com (reporter)
MinIO policy remains intact on bucket deletion
CVE-2025-66467 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-08T12:16:09.128Z
Affected
- Apache CloudStack from 4.19.0.0 through 4.20.2.0
- Apache CloudStack from 4.21.0.0 through 4.22.0.0
Description
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys.
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
References
Credits
- Roman Kozello roman.kozello@gmail.com (reporter)
Any user can attach a volume in their VMs from backups they should not have access to
CVE-2025-66172 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-08T12:13:30.758Z
Affected
- Apache CloudStack from 4.21.0.0 through 4.22.0.0
Description
The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user’s backups and attach the volume to their own VMs.
Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
References
Credits
- Gabriel Pordeus (reporter)
Any user can create a new VM from backups they should not have access to
CVE-2025-66171 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-08T12:11:10.736Z
Affected
- Apache CloudStack from 4.21.0.0 through 4.22.0.0
Description
The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment.
Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue.
References
Credits
- Fabricio Duarte fabricio.duarte.jr@gmail.com (reporter)
- Gabriel Ortiga Fernandes gabriel.ortiga@hotmail.com (reporter)
- Gabriel Pordeus Santos gabrielpordeus@gmail.com (reporter)
Any user can list backups that they should not have access to
CVE-2025-66170 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-08T12:06:38.994Z
Affected
- Apache CloudStack from 4.21.0.0 through 4.22.0.0
Description
The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup.Users are recommended to upgrade to version 4.22.0.1, which fixes the issue.
References
Credits
- Gabriel Ortiga Fernandes gabriel.ortiga@hotmail.com (reporter)
- Fabricio Duarte fabricio.duarte.jr@gmail.com (reporter)
- Gabriel Pordeus Santos gabrielpordeus@gmail.com (reporter)
Lack of user permission validation leading to data leak for few APIs
CVE-2025-59454 [CVE] [CVE json] [OSV json]
Last updated: 2025-11-27T11:40:37.834Z
Affected
- Apache CloudStack from 4.0.0 before 4.20.2
- Apache CloudStack from 4.21.0 before 4.22.0
Description
In Apache CloudStack, a gap in access control checks affected the APIs
- createNetworkACL
- listNetworkACLs
- listResourceDetails
- listVirtualMachinesUsageHistory
- listVolumesUsageHistoryWhile these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
References
Credits
Potential remote code execution on Javascript engine defined rules
CVE-2025-59302 [CVE] [CVE json] [OSV json]
Last updated: 2025-11-27T11:46:23.798Z
Affected
- Apache CloudStack from 4.18.0 before 4.20.2
- Apache CloudStack from 4.21.0 before 4.22.0
Description
In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.
- quotaTariffCreate
- quotaTariffUpdate
- createSecondaryStorageSelector
- updateSecondaryStorageSelector
- updateHost
- updateStorage
This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.
The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.
References
Credits
- Tianyi Cheng chengtianyi@huawei.com (finder)
Insecure access of user’s API/Secret Keys in the same domain
CVE-2025-47849 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-11T03:59:42.176Z
Affected
- Apache CloudStack from 4.10.0 before 4.19.3.0
- Apache CloudStack from 4.20.0.0 before 4.20.1.0
Description
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:
- Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.
- API privilege comparison: the caller must possess all privileges of the user they are operating on.
- Two new domain-level settings (restricted to the default admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
References
- https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/
- https://www.shapeblue.com/shapeblue-security-advisory-cloudstack-4-19-3-0-and-4-20-1-0/
- https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60
Credits
- Kevin Li kli74@apple.com (finder)
- Scott Schmitz sschmitz@ussignal.com (finder)
Domain Admin can reset Admin password in Root Domain
CVE-2025-47713 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-11T03:59:55.628Z
Affected
- Apache CloudStack from 4.10.0 before 4.19.3.0
- Apache CloudStack from 4.20.0.0 before 4.20.1.0
Description
- Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.
- API privilege comparison: the caller must possess all privileges of the user they are operating on.
- Two new domain-level settings (restricted to the default Admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
References
- https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/
- https://www.shapeblue.com/shapeblue-security-advisory-cloudstack-4-19-3-0-and-4-20-1-0/
- https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60
Credits
- Scott Schmitz sschmitz@ussignal.com (finder)
Unauthorised template/ISO list access to the domain/resource admins
CVE-2025-30675 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-11T04:00:06.854Z
Affected
- Apache CloudStack from 4.0.0 before 4.19.3.0
- Apache CloudStack from 4.20.0.0 before 4.20.1.0
Description
References
- https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/
- https://www.shapeblue.com/shapeblue-security-advisory-cloudstack-4-19-3-0-and-4-20-1-0/
- https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60
Credits
- Bernardo De Marco Gonçalves bernardomg2004@gmail.com (finder)
CKS cluster in project exposes user API keys
CVE-2025-26521 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-11T04:00:17.648Z
Affected
- Apache CloudStack from 4.17.0.0 before 4.19.3.0
- Apache CloudStack from 4.20.0.0 before 4.20.1.0
Description
When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the ‘kubeadmin’ user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the ‘kubeadmin’ user of the CKS cluster’s creator’s account. An attacker who’s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator’s account.
CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.
Updating Existing Kubernetes Clusters in Projects
A service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service Account
| Account Name | kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID> |
| First Name | Kubernetes |
| Last Name | Service User |
| Account Type | 0 (Normal User) |
| Role ID | <ID_OF_SERVICE_ROLE> |
2. Add the Service Account to the Project
Add this account to the project where the Kubernetes cluster(s) are hosted.3. Generate API and Secret Keys
Generate API Key and Secret Key for the default user of this account.4. Update the CloudStack Secret in the Kubernetes Cluster
Create a temporary file/tmp/cloud-config with the following data:api-url = <API_URL> # For example: <MS_URL>/client/api
api-key = <SERVICE_USER_API_KEY>
secret-key = <SERVICE_USER_SECRET_KEY>
rm /tmp/cloud-config
5. Regenerate API and Secret Keys
Regenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.References
- https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/
- https://www.shapeblue.com/shapeblue-security-advisory-cloudstack-4-19-3-0-and-4-20-1-0/
- https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60
Credits
- Wei Zhou (weizhou@apache.org) (finder)
Unauthorised access to dedicated resources in Quota plugin
CVE-2025-22829 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-11T04:00:28.410Z
Affected
- Apache CloudStack from 4.20.0.0 before 4.20.1.0
Description
The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.
Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.
References
- https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0
- https://www.shapeblue.com/shapeblue-security-advisory-cloudstack-4-19-3-0-and-4-20-1-0/
- https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60
Credits
- Fabricio Duarte fabricio.duarte.jr@gmail.com (finder)
Unauthorised access to annotations
CVE-2025-22828 [CVE] [CVE json] [OSV json]
Last updated: 2025-01-13T12:40:18.771Z
Affected
- Apache CloudStack from 4.16.0 through *
Description
References
Credits
- Alex Perrakis alexperrakis1@gmail.com (reporter)
- Efstratios Chatzoglou efchatzoglou@gmail.com (reporter)
Directly downloaded templates can be used to abuse KVM-based infrastructure
CVE-2024-50386 [CVE] [CVE json] [OSV json]
Last updated: 2024-11-12T13:52:37.947Z
Affected
- Apache CloudStack from 4.0.0 through 4.18.2.4
- Apache CloudStack from 4.19.0.0 through 4.19.1.2
Description
Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.
for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo “Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.”; qemu-img info -U $file | grep file: ; printf “\n\n”; done
For checking the whole template/volume features of each disk, operators can run the following command:
for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo “Retrieving file [$file] info.”; qemu-img info -U $file; printf “\n\n”; done
References
- https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3
- https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/
Credits
- Kiran Chavala kiranchavala@apache.org (reporter)
Request origin validation bypass makes account takeover possible
CVE-2024-45693 [CVE] [CVE json] [OSV json]
Last updated: 2024-10-16T10:39:13.974Z
Affected
- Apache CloudStack from 4.15.1.0 through 4.18.2.3
- Apache CloudStack from 4.19.0.0 through 4.19.1.1
Description
Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.
This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1
References
- https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2
- https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/
Credits
- Arthur Souza (reporter)
- Felipe Olivaes (reporter)
Incomplete session invalidation on web interface logout
CVE-2024-45462 [CVE] [CVE json] [OSV json]
Last updated: 2024-10-16T10:39:03.528Z
Affected
- Apache CloudStack from 4.15.1.0 through 4.18.2.3
- Apache CloudStack from 4.19.0.0 through 4.19.1.1
Description
References
- https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2
- https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/
Credits
- Arthur Souza (reporter)
- Felipe Olivaes (reporter)
Access checks not enforced in Quota
CVE-2024-45461 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-12T09:30:16.539Z
Affected
- Apache CloudStack Quota plugin from 4.7.0 through 4.18.2.3
- Apache CloudStack Quota plugin from 4.19.0.0 through 4.19.1.1
Description
References
- https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2
- https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/
Credits
- Fabrício Duarte fabricio.duarte.jr@gmail.com (reporter)
Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure
CVE-2024-45219 [CVE] [CVE json] [OSV json]
Last updated: 2024-10-15T18:32:48.536Z
Affected
- Apache CloudStack from 4.0.0 through 4.18.2.3
- Apache CloudStack from 4.19.0.0 through 4.19.1.1
Description
Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.
for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo “Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.”; qemu-img info -U $file | grep file: ; printf “\n\n”; done
The command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.
For checking the whole template/volume features of each disk, operators can run the following command:
for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo “Retrieving file [$file] info.”; qemu-img info -U $file; printf “\n\n”; done
References
- https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2
- https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/
Credits
- Daniel Augusto Veronezi Salvador gutoveronezi@apache.org (reporter)
Unauthorised Network List Access
CVE-2024-42222 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-07T06:49:40.024Z
Affected
- Apache CloudStack at 4.19.1.0
Description
Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.
References
- https://github.com/apache/cloudstack/issues/9456
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3
- https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/
Credits
- Christian Gross of Netcloud AG (finder)
- Midhun Jose (finder)
User Key Exposure to Domain Admins
CVE-2024-42062 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-19T13:43:36.243Z
Affected
- Apache CloudStack from 4.10.0 through 4.18.2.2
- Apache CloudStack from 4.19.0.0 through 4.19.1.0
Description
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.
Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
References
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3
- https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/
Credits
- Fabricio Duarte (finder)
SAML Signature Exclusion
CVE-2024-41107 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-19T10:11:15.224Z
Affected
- Apache CloudStack from 4.5.0 through 4.18.2.1
- Apache CloudStack from 4.19.0.0 through 4.19.0.2
Description
Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
References
- https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3
- https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107
- https://github.com/apache/cloudstack/issues/4519
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107
Credits
- Christian Gross of Netcloud AG (finder)
- Damon Smith of Apple Services Engineering Security (finder)
- Adam Pond of Apple Services Engineering Security (finder)
- Terry Thibault of Apple Services Engineering Security (finder)
Integration API service uses dynamic port when disabled
CVE-2024-39864 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-05T13:39:23.006Z
Affected
- Apache CloudStack from 4.0.0 through 4.18.2.0
- Apache CloudStack from 4.19.0.0 through 4.19.0.1
Description
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.
References
- https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2/
Credits
- Adam Pond of Apple Services Engineering Security (finder)
- Terry Thibault of Apple Services Engineering Security (finder)
- Damon Smith of Apple Services Engineering Security (finder)
Unauthenticated cluster service port leads to remote execution
CVE-2024-38346 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-05T13:39:11.185Z
Affected
- Apache CloudStack from 4.0.0 through 4.18.2.0
- Apache CloudStack from 4.19.0.0 through 4.19.0.1
Description
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure.
References
- https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2/
Credits
- Adam Pond of Apple Services Engineering Security (finder)
- Terry Thibault of Apple Services Engineering Security (finder)
- Damon Smith of Apple Services Engineering Security (finder)
The extraconfig feature can be abused to load hypervisor resources on a VM instance
CVE-2024-29008 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-04T10:58:44.745Z
Affected
- Apache CloudStack from 4.14.0.0 through 4.18.1.0, 4.19.0.0
Description
References
- https://lists.apache.org/thread/82f46pv7mvh95ybto5hn8wlo6g8jhjvp
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.1-4.18.1.1
Credits
- Wei Zhou ustcweizhou@gmail.com (finder)
When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequences
CVE-2024-29007 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-04T10:58:20.239Z
Affected
- Apache CloudStack from 4.9.1.0 through 4.18.1.0, 4.19.0.0
Description
References
- https://lists.apache.org/thread/82f46pv7mvh95ybto5hn8wlo6g8jhjvp
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.1-4.18.1.1
Credits
- Yuyang Xiao superxyyang@gmail.com (finder)
x-forwarded-for HTTP header parsed by default
CVE-2024-29006 [CVE] [CVE json] [OSV json]
Last updated: 2024-04-04T10:59:16.384Z
Affected
- Apache CloudStack from 4.11.0.0 through 4.18.1.0, 4.19.0.0
Description
References
- https://lists.apache.org/thread/82f46pv7mvh95ybto5hn8wlo6g8jhjvp
- https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.1-4.18.1.1
Credits
- Yuyang Xiao superxyyang@gmail.com (finder)
Apache CloudStack SAML Single Sign-On XXE
CVE-2022-35741 [CVE] [CVE json] [OSV json]
Last updated: 2022-07-18T14:26:13.768Z
Affected
- Apache CloudStack from 4.5.0 before Apache CloudStack*
Description
Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.
References
Credits
- This issue was reported by v3ged0ge
Apache Cloudstack insecure random number generation affects project email invitation
CVE-2022-26779 [CVE] [CVE json] [OSV json]
Last updated: 2022-07-13T11:28:52.383Z
Affected
- Apache CloudStack from Apache CloudStack before 4.16.1
Description
Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is required to know or guess the project ID for the invite in addition to the invitation token, and the attacker would need to be an existing authorized user of CloudStack.
References
- https://lists.apache.org/thread/dmm07b1cyosovqr12ddhkko501p11h2h
- https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-vpcc-9rh2-8jfp
Credits
- This issue was reported by Jonathan Leitschuh