CVE-2024-45461

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo	Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/10/15/3

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:cloudstack::::::::
	cpe:2.3:a:apache:cloudstack::::::::

History

21 Nov 2024, 09:37

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/10/15/3 -
References	~~() https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 -~~	() https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~6.3~~	v2 : unknown v3 : 5.7

17 Oct 2024, 20:50

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.7~~	v2 : unknown v3 : 6.3
CPE		cpe:2.3:a:apache:cloudstack::::::::
References	~~() https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo -~~	() https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo - Vendor Advisory
First Time		Apache Apache cloudstack
CWE		CWE-862

16 Oct 2024, 16:38

Type	Values Removed	Values Added
Summary		(es) La función Cuota de CloudStack permite a los administradores de la nube implementar un sistema de cuota o límite de uso para los recursos de la nube y está deshabilitada de forma predeterminada. En los entornos donde la función está habilitada, debido a la falta de cumplimiento de las comprobaciones de acceso, las cuentas de usuario no administrativas de CloudStack pueden acceder y modificar las configuraciones y los datos relacionados con la cuota. Este problema afecta a Apache CloudStack desde la versión 4.7.0 hasta la 4.18.2.3 y desde la versión 4.19.0.0 hasta la 4.19.1.1, donde la función Cuota está habilitada. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.4 o 4.19.1.2, o posterior, que soluciona este problema. Como alternativa, se recomienda a los usuarios que no usan la función Cuota que deshabiliten el complemento configurando la configuración global "quota.enable.service" en "false".

16 Oct 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-16 08:15

Updated : 2024-11-21 09:37

NVD link : CVE-2024-45461

Mitre link : CVE-2024-45461

CVE.ORG link : CVE-2024-45461

JSON object : View

Products Affected

apache

cloudstack

CWE

CWE-269

Improper Privilege Management

CWE-862

Missing Authorization

5.7 /10