CVE-2024-39864

CWE-94Code InjectionCWE-6653 documents3 sources
Severity
9.8CRITICAL
EPSS
2.4%
top 14.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CloudstackApache Software Foundation Apache Cloudstack
Timeline
PublishedJul 5

Description

The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDapache/cloudstack4.0.04.18.2.1+1
CVEListV5apache_software_foundation/apache_cloudstack4.0.04.18.2.0+1

🔴Vulnerability Details

2
CVEList
Apache CloudStack: Integration API service uses dynamic port when disabled2024-07-05
GHSA
GHSA-qcg7-r5qq-mqmw: The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration2024-07-05
CVE-2024-39864 (CRITICAL CVSS 9.8) | The CloudStack integration API serv | cvebase.io