Lucene search
+L

13 matches found

CVE
CVE
added 2024/07/05 1:40 p.m.113 views

CVE-2024-39864

The CVE-2024-39864 issue affects Apache CloudStack's Integration API service. When integration.api.port is set to 0 (default), an improper initialisation causes the unauthenticated integration API server to listen on a random port. An attacker with access to the CloudStack management network coul...

9.8CVSS9.9AI score0.01772EPSS
CVE
CVE
added 2024/07/19 10:19 a.m.107 views

CVE-2024-41107

CVE-2024-41107 — Apache CloudStack: SAML Signature Exclusion Root cause: CloudStack’s SAML authentication can bypass signature checks when SAML is enabled, allowing spoofed, unsigned SAML responses to authenticate as a legitimate SAML-enabled user. Impact: In affected environments, an attacker ca...

8.1CVSS8.1AI score0.1776EPSS
CVE
CVE
added 2024/04/04 7:48 a.m.100 views

CVE-2024-29006

The CVE-2024-29006 issue affects the CloudStack management server, where the system by default accepts and logs the x-forwarded-for header as the source IP for API requests. This misconfiguration can enable authentication bypass and other operational problems if an attacker spoofs their IP. Publi...

9.8CVSS7.1AI score0.00874EPSS
CVE
CVE
added 2024/08/07 7:17 a.m.84 views

CVE-2024-42062

CVE-2024-42062 (Apache CloudStack) : A permission validation flaw in CloudStack 4.10.0–4.19.1.0 lets domain-admins query all account-user API/secret keys, including those of root admins. An attacker with domain-admin access can leverage this to gain root-admin and other privileges, potentially co...

7.2CVSS7.8AI score0.00946EPSS
CVE
CVE
added 2024/07/05 1:40 p.m.83 views

CVE-2024-38346

CVE-2024-38346 affects Apache CloudStack’s cluster service that runs on an unauthenticated port (default 9090). The provided documents describe a code-injection vulnerability enabling remote code execution on targeted hypervisors and CloudStack management server hosts, potentially leading to comp...

9.8CVSS10AI score0.03301EPSS
CVE
CVE
added 2024/08/07 7:16 a.m.81 views

CVE-2024-42222

CVE-2024-42222 affects Apache CloudStack 4.19.1.0, where a regression in the network listing API allows unauthorised listing of network details for domain admins and normal users, compromising tenant isolation and potentially exposing network configurations and data. The issue has been fixed in C...

4.3CVSS7AI score0.00972EPSS
CVE
CVE
added 2024/04/04 7:49 a.m.77 views

CVE-2024-29007

The CVE-2024-29007 issue affects Apache CloudStack: when downloading templates or ISOs, the CloudStack management server and the secondary storage VM can follow HTTP 301 redirects to external resources, potentially enabling access to restricted or random resources. Affected components are the Clo...

7.3CVSS7.2AI score0.00785EPSS
CVE
CVE
added 2024/04/04 7:51 a.m.75 views

CVE-2024-29008

CVE-2024-29008 concerns Apache CloudStack’s extraconfig (additional VM configuration) feature. In KVM environments, incorrect access control allows users who can deploy or modify VMs to configure extra VM settings even when the feature is disabled, enabling attachment of host devices (storage dis...

6.4CVSS6.5AI score0.00619EPSS
CVE
CVE
added 2024/11/12 2:34 p.m.71 views

CVE-2024-50386

CVE-2024-50386 affects Apache CloudStack where by default, derived KVM-compatible templates can be registered for download to primary storage. The root cause is missing validation checks for KVM templates in CloudStack versions 4.0.0–4.18.2.4 and 4.19.0–4.19.1.2. An attacker able to register temp...

9.9CVSS8.7AI score0.01419EPSS
CVE
CVE
added 2024/10/16 7:52 a.m.69 views

CVE-2024-45693

The CVE-2024-45693 issue affects Apache CloudStack where missing validation of the origin of requests enables Cross-Site Request Forgery in the web interface. This could allow an attacker to impersonate an authenticated user and gain privileges, potentially leading to account takeover and exposur...

8.8CVSS8.1AI score0.00497EPSS
CVE
CVE
added 2024/10/16 7:55 a.m.64 views

CVE-2024-45219

Apache CloudStack CVE-2024-45219 concerns a KVM-related vulnerability where default user uploads/registrations of templates and volumes can bypass validation for KVM-compatible disks. The issue spans CloudStack versions 4.0.0–4.18.2.3 and 4.19.0.0–4.19.1.1, allowing an attacker who can upload or ...

8.5CVSS8.8AI score0.01229EPSS
CVE
CVE
added 2024/10/16 7:53 a.m.59 views

CVE-2024-45462

The CVE describes an incomplete session invalidation in Apache CloudStack that allows a user with browser access to reuse an unexpired session after logout. Affected versions: 4.15.1.0–4.18.2.3 and 4.19.0.0–4.19.1.1. Mitigation per connected documents: upgrade to 4.18.2.4 or 4.19.1.2 (or later) d...

7.1CVSS6.5AI score0.00393EPSS
CVE
CVE
added 2024/10/16 7:54 a.m.58 views

CVE-2024-45461

CVE-2024-45461 affects Apache CloudStack where the Quota feature is enabled. The issue is due to missing access-check enforcements, allowing non-administrative users to access and modify quota-related configurations and data. Affected ranges include 4.7.0–4.18.2.3 and 4.19.0.0–4.19.1.1 when the Q...

6.3CVSS5.7AI score0.00708EPSS