8 matches found
CVE-2025-22828
CVE-2025-22828 affects Apache CloudStack 4.16.0 and later. An access validation issue lets users with access or prior knowledge of resource UUIDs list or add comments (annotations) on resources they are authorized to access, potentially reading or injecting comments that could disclose privileged...
CVE-2025-47849
CVE-2025-47849 (Apache CloudStack) : Privilege escalation affects CloudStack versions 4.10.0.0 through 4.20.0.0. A malicious Domain Admin in the ROOT domain can obtain the API key and secret key of Admin-role accounts in the same domain, enabling impersonation and access to sensitive APIs and res...
CVE-2025-47713
Apache CloudStack
CVE-2025-26521
CVE-2025-26521 describes an information-disclosure flaw in Apache CloudStack where a project member can access the kubeadmin API key and secret for the creator’s CKS-based Kubernetes cluster, enabling impersonation and possible full compromise of the creator’s resources. Affected versions are pri...
CVE-2025-30675
CVE-2025-30675 in Apache CloudStack affects the listTemplates and listIsos APIs due to a flawed access-control check when domainid is specified with filters self or selfexecutable. The issue allows a Domain Admin or Resource Admin to enumerate templates/ISOs in unrelated domains, breaching isolat...
CVE-2025-22829
Affected software: Apache CloudStack with the Quota plugin (version 4.20.0.0). Issue: Improper privilege management logic lets an authenticated user with access to specific APIs enable/disable quota‑related emails and list quota configurations for any account in environments where the plugin is e...
CVE-2025-59302
CVE-2025-59302 concerns Apache CloudStack where code injection is possible via admin-only APIs: quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateStorage. The issue arises from improper control of code generation. A fix fla...
CVE-2025-59454
In Apache CloudStack, a gap in access control checks allowed an authenticated user to access information beyond their intended scope via several APIs. Affected endpoints include createNetworkACL, listNetworkACLs, listResourceDetails, listVirtualMachinesUsageHistory, and listVolumesUsageHistory. T...