CVE-2024-45219Improper Input Validation in Apache Cloudstack

CWE-20Improper Input ValidationCWE-116Improper Encoding or Escaping of Output3 documents3 sources
Severity
8.5HIGHNVD
EPSS
0.5%
top 34.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CloudstackApache Software Foundation Apache Cloudstack
Timeline
PublishedOct 16

Description

Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-ba

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages2 packages

NVDapache/cloudstack4.0.04.18.2.4+1
CVEListV5apache_software_foundation/apache_cloudstack4.0.04.18.2.3+1

🔴Vulnerability Details

2
CVEList
Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure2024-10-16
GHSA
GHSA-mp22-wph9-qgqx: Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as d2024-10-16
CVE-2024-45219 — Improper Input Validation in Apache | cvebase