Lucene search
K
ApacheCloudstack

9 matches found

CVE
CVE
added 2024/07/05 1:40 p.m.112 views

CVE-2024-39864

The CVE-2024-39864 issue affects Apache CloudStack's Integration API service. When integration.api.port is set to 0 (default), an improper initialisation causes the unauthenticated integration API server to listen on a random port. An attacker with access to the CloudStack management network coul...

9.8CVSS9.9AI score0.01772EPSS
CVE
CVE
added 2024/04/04 7:48 a.m.98 views

CVE-2024-29006

The CVE-2024-29006 issue affects the CloudStack management server, where the system by default accepts and logs the x-forwarded-for header as the source IP for API requests. This misconfiguration can enable authentication bypass and other operational problems if an attacker spoofs their IP. Publi...

9.8CVSS7.1AI score0.00874EPSS
CVE
CVE
added 2022/07/18 2:30 p.m.82 views

CVE-2022-35741

The CVE-2022-35741 issue affects Apache CloudStack 4.5.0 and later, specifically the SAML 2.0 authentication Service Provider plugin. The vulnerability is XML External Entity (XXE) injection in the XML-based SAML messages parsed during authentication. Attacker must have the plugin enabled (not en...

9.8CVSS10AI score0.06734EPSS
CVE
CVE
added 2024/07/05 1:40 p.m.82 views

CVE-2024-38346

CVE-2024-38346 affects Apache CloudStack’s cluster service that runs on an unauthenticated port (default 9090). The provided documents describe a code-injection vulnerability enabling remote code execution on targeted hypervisors and CloudStack management server hosts, potentially leading to comp...

9.8CVSS10AI score0.03301EPSS
CVE
CVE
added 2024/11/12 2:34 p.m.71 views

CVE-2024-50386

CVE-2024-50386 affects Apache CloudStack where by default, derived KVM-compatible templates can be registered for download to primary storage. The root cause is missing validation checks for KVM templates in CloudStack versions 4.0.0–4.18.2.4 and 4.19.0–4.19.1.2. An attacker able to register temp...

9.9CVSS8.7AI score0.01419EPSS
CVE
CVE
added 2018/02/06 2:0 p.m.60 views

CVE-2016-6813

CVE-2016-6813 affects Apache CloudStack 4.1–4.8.1.0 and 4.9.0.0. The issue is an API call that lets a user register for the developer API, and if the attacker can determine another non-root user’s CloudStack ID, they may reset that user’s API keys and gain access to their account and resources. T...

9.8CVSS9.3AI score0.05629EPSS
CVE
CVE
added 2020/05/14 4:14 p.m.54 views

CVE-2019-17562

Apache CloudStack baremetal component contains a buffer overflow (affecting all versions prior to 4.13.1) caused by inadequate validation of the mac parameter in baremetal virtual router. An attacker can inject shell commands via the mac field (example: /baremetal/provisiondone/{mac} with special...

9.8CVSS9.6AI score0.02919EPSS
Web
CVE
CVE
added 2016/02/08 7:0 p.m.49 views

CVE-2015-3252

Apache CloudStack vulnerability CVE-2015-3252 affects CloudStack before 4.5.2 (4.5.1 and earlier per CNVD). The issue arises from improper preservation of VNC passwords during KVM VM migrations, enabling a remote attacker to gain access by connecting to the VNC server. According to the sources, t...

9.8CVSS9.5AI score0.02172EPSS
CVE
CVE
added 2026/05/08 12:22 p.m.33 views

CVE-2026-25199

The CVE describes a vulnerability in the Proxmox extension for Apache CloudStack (affecting 4.21.0.0–4.22.0.0) where the user-editable proxmox_vmid setting is not validated against tenant ownership. An unauthenticated attacker can modify proxmox_vmid to reference a VM owned by another account, gr...

9.1CVSS5.8AI score0.005EPSS