CVE-2024-29007

CWE-918Server-Side Request Forgery (SSRF)CWE-593 documents3 sources
Severity
7.3HIGH
EPSS
0.1%
top 66.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CloudstackApache Software Foundation Apache Cloudstack
Timeline
PublishedApr 4

Description

The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages2 packages

NVDapache/cloudstack4.9.1.04.18.1.1+1
CVEListV5apache_software_foundation/apache_cloudstack4.9.1.04.18.1.0+1

🔴Vulnerability Details

2
CVEList
Apache CloudStack: When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequences2024-04-04
GHSA
GHSA-29xc-2rhm-5f2q: The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of followin2024-04-04
CVE-2024-29007 (HIGH CVSS 7.3) | The CloudStack management server an | cvebase.io