CVE-2024-29008Improper Input Validation in Apache Cloudstack

CWE-20Improper Input Validation3 documents3 sources
Severity
6.4MEDIUMNVD
EPSS
0.1%
top 67.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CloudstackApache Software Foundation Apache Cloudstack
Timeline
PublishedApr 4

Description

A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not explicitly enabled by the administrator. In a KVM based CloudStack environment, an attacker can exploit this issue to attach host devices such as storage disks, and PCI and USB devices such as network

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:LExploitability: 3.1 | Impact: 2.7

Affected Packages2 packages

NVDapache/cloudstack4.14.0.04.18.1.1+1
CVEListV5apache_software_foundation/apache_cloudstack4.14.0.04.18.1.0+1

🔴Vulnerability Details

2
CVEList
Apache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instance2024-04-04
GHSA
GHSA-3fpg-5xv7-pq63: A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature which can be misused by anyone who has privilege to2024-04-04
CVE-2024-29008 — Improper Input Validation in Apache | cvebase