PT-2025-25168 · Apache · Apache Cloudstack

Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions prior to 4.19.3.0 Apache CloudStack versions prior to 4.20.1.0 Description: A flaw in access control affects the "listTemplates" and "listIsos" APIs. A malicious Domain Admin or Resource Admin can exploit this issue...

Apache CloudStack 信息泄露漏洞

Apache CloudStack is a suite of Infrastructure-as-a-Service IaaS cloud computing platforms from the Apache USA Foundation. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack suffers from an information disclosure vulnerability that stems from...

Apache CloudStack 安全漏洞

Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack has a security vulnerability that can be exploited ...

Apache CloudStack 安全漏洞

Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack has a security vulnerability that can be exploited ...

PT-2025-25170 · Apache · Apache Cloudstack

Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions 4.10.0.0 through 4.20.0.0 Description: A privilege escalation issue exists where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type, allowing the attacker to...

CVE-2024-45462

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out...

CVE-2024-42222

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and...

CVE-2014-9593

Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call...

CVE-2019-17562

A buffer overflow vulnerability has been found in the baremetal component of Apache CloudStack. This applies to all versions prior to 4.13.1. The vulnerability is due to the lack of validation of the mac parameter in baremetal virtual router. If you insert an arbitrary shell command into the mac...

CVE-2024-50386

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker...

CVE-2024-45219

Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2....

CVE-2025-22828

CVE-2025-22828 affects Apache CloudStack 4.16.0 and later. An access validation issue lets users with access or prior knowledge of resource UUIDs list or add comments (annotations) on resources they are authorized to access, potentially reading or injecting comments that could disclose privileged...

CVE-2025-22828 Apache CloudStack: Unauthorised access to annotations

CloudStack users can add and read comments annotations on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments annotations to suc...

CVE-2025-22828 Apache CloudStack: Unauthorised access to annotations

CloudStack users can add and read comments annotations on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments annotations to suc...

PT-2025-4736 · Apache · Apache Cloudstack

The software that is vulnerable is Apache CloudStack, specifically versions from 4.16.0 onwards. The vulnerability is an access validation issue that allows unauthorized access to annotations, which can lead to potential loss of confidentiality of CloudStack environments and resources if the...

CVE-2024-50386

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker...

CVE-2024-50386

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker...

CVE-2024-50386 Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker...

CVE-2024-50386

CVE-2024-50386 affects Apache CloudStack where by default, derived KVM-compatible templates can be registered for download to primary storage. The root cause is missing validation checks for KVM templates in CloudStack versions 4.0.0–4.18.2.4 and 4.19.0–4.19.1.2. An attacker able to register temp...

CVE-2024-50386 Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker...