CVE-2024-29007

The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or...

CVE-2024-29008 Apache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instance

A problem has been identified in the CloudStack additional VM configuration extraconfig feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not...

CVE-2024-29008

CVE-2024-29008 concerns Apache CloudStack’s extraconfig (additional VM configuration) feature. In KVM environments, incorrect access control allows users who can deploy or modify VMs to configure extra VM settings even when the feature is disabled, enabling attachment of host devices (storage dis...

CVE-2024-29008 Apache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instance

A problem has been identified in the CloudStack additional VM configuration extraconfig feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not...

CVE-2024-29007 Apache CloudStack: When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequences

The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or...

CVE-2024-29007 Apache CloudStack: When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequences

The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or...

CVE-2024-29007

The CVE-2024-29007 issue affects Apache CloudStack: when downloading templates or ISOs, the CloudStack management server and the secondary storage VM can follow HTTP 301 redirects to external resources, potentially enabling access to restricted or random resources. Affected components are the Clo...

CVE-2024-29006

The CVE-2024-29006 issue affects the CloudStack management server, where the system by default accepts and logs the x-forwarded-for header as the source IP for API requests. This misconfiguration can enable authentication bypass and other operational problems if an attacker spoofs their IP. Publi...

CVE-2024-29006 Apache CloudStack: x-forwarded-for HTTP header parsed by default

By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrad...

CVE-2024-29006 Apache CloudStack: x-forwarded-for HTTP header parsed by default

By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrad...

Apache CloudStack 输入验证错误漏洞

Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack suffers from an input validation error vulnerabilit...

Apache CloudStack 代码问题漏洞

Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack suffers from a security bypass vulnerability that...

PT-2024-22666 · Apache · Cloudstack

Name of the Vulnerable Software and Affected Versions: CloudStack versions prior to 4.18.1.1 CloudStack versions prior to 4.19.0.1 Description: The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 3...

PT-2024-22667 · Apache · Cloudstack

Name of the Vulnerable Software and Affected Versions: CloudStack versions prior to 4.18.1.1 CloudStack versions prior to 4.19.0.1 Description: A problem has been identified in the CloudStack additional VM configuration extraconfig feature which can be misused by anyone who has privilege to deplo...

Apache CloudStack 安全漏洞

Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack suffers from a security bypass vulnerability that...

PT-2024-22665 · Unknown · Cloudstack

Name of the Vulnerable Software and Affected Versions: CloudStack versions prior to 4.18.1.1 CloudStack versions prior to 4.19.0.1 Description: The CloudStack management server honors the x-forwarded-for HTTP header and logs it as the source IP of an API request by default. This could lead to...

K05715414: Apache CloudStack vulnerability CVE-2016-3085

Security Advisory Description Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1, when SAML-based authentication is enabled and used, allow remote attackers to bypass authentication and access the user interface via vectors related to the...

Fedora: Security Advisory for apache-cloudstack-cloudmonkey (FEDORA-2022-5ef0bd9a27)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Apache CloudStack XML External Entity Injection Vulnerability

Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. An XML external entity injection vulnerability exists in Apache...

The vulnerability of the SAML plugin for the Apache CloudStack environment management platform allows attackers to perform XXE attacks.

The vulnerability of the SAML plugin for the Apache CloudStack environment management platform is related to incorrect restrictions on XML links to external objects. Exploiting this vulnerability allows a malicious actor to perform XXE attacks remotely...