6 matches found
CVE-2024-29008
CVE-2024-29008 concerns Apache CloudStack’s extraconfig (additional VM configuration) feature. In KVM environments, incorrect access control allows users who can deploy or modify VMs to configure extra VM settings even when the feature is disabled, enabling attachment of host devices (storage dis...
CVE-2024-45461
CVE-2024-45461 affects Apache CloudStack where the Quota feature is enabled. The issue is due to missing access-check enforcements, allowing non-administrative users to access and modify quota-related configurations and data. Affected ranges include 4.7.0–4.18.2.3 and 4.19.0.0–4.19.1.1 when the Q...
CVE-2016-3085
CVE-2016-3085 affects Apache CloudStack 4.5.x before 4.5.2.1, 4.6.x before 4.6.2.1, 4.7.x before 4.7.1.1, and 4.8.x before 4.8.0.1. When SAML-based authentication is enabled, remote attackers can bypass authentication and access the user interface via vectors related to the SAML plugin. The conne...
CVE-2025-66171
CVE-2025-66171 affects the CloudStack Backup plugin in CloudStack 4.21.0.0 and 4.22.0.0, where an improper access logic allows any authenticated user with access to specific APIs to create new VMs using backups belonging to other users. Public docs from NVD/CVE and EUVD- ENISA reiterate upgrade g...
CVE-2025-69233
CVE-2025-69233 affects Apache CloudStack and describes time-of-check/time-of-use race conditions in the resource count check and increment logic, along with missing validations, that allow users to exceed allocation limits for accounts/domains. This can enable an attacker to degrade infrastructur...
CVE-2025-66170
The CVE affects the CloudStack Backup plugin (versions 4.21.0.0 and 4.22.0.0). An improper authorization logic lets any authenticated user with access to the plugin’s APIs list backups from any account, though they cannot view the backup contents. The issue is resolved by upgrading to version 4.2...