CVE-2024-29006 Apache CloudStack: x-forwarded-for HTTP header parsed by default

2024-04-0407:48:54

CWE-290

apache

www.cve.org

cve-2024-29006

cloudstack management server

api request

authentication bypass

ip address spoofing

upgrade

version 4.18.1.1

version 4.19.0.1

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrade to CloudStack version 4.18.1.1 or 4.19.0.1, which fixes this issue.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache CloudStack",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "4.18.1.0",
        "status": "affected",
        "version": "4.11.0.0",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.19.0.0"
      }
    ]
  }
]

References

lists.apache.org/thread/82f46pv7mvh95ybto5hn8wlo6g8jhjvp