CVE-2025-22828 — Sensitive Information Exposure in Software Foundation Apache Cloudstack

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

18.4%

top 4.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Cloudstack Apache Cloudstack

Timeline

PublishedJan 13

Description

CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotat…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_cloudstack4.16.0 — *

▶NVDapache/cloudstack

🔴Vulnerability Details

GHSA

GHSA-7jhp-8mw7-9mrw: CloudStack users can add and read comments (annotations) on resources they are authorised to access↗2025-01-13

▶

CVEList

Apache CloudStack: Unauthorised access to annotations↗2025-01-13

▶