CVE-2025-22829

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

2.3LOW

EPSS

0.5%

top 33.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Cloudstack Apache Cloudstack

Timeline

PublishedJun 10

Latest updateJun 11

Description

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_cloudstack4.20.0.0 — 4.20.1.0

▶NVDapache/cloudstack4.20.0.0

🔴Vulnerability Details

GHSA

GHSA-ppvv-98qr-pg74: The CloudStack Quota plugin has an improper privilege management logic in version 4↗2025-06-11

▶

CVEList

Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin↗2025-06-10

▶