CVE-2025-30675Sensitive Information Exposure in Software Foundation Apache Cloudstack

CWE-200Sensitive Information Exposure3 documents3 sources
Severity
4.7MEDIUMNVD
EPSS
0.4%
top 40.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CloudstackApache Cloudstack
Timeline
PublishedJun 11

Description

In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating i

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages2 packages

NVDapache/cloudstack4.0.04.19.3.0+1
CVEListV5apache_software_foundation/apache_cloudstack4.0.04.19.3.0+1

🔴Vulnerability Details

2
GHSA
GHSA-9wjh-qx89-88ff: In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs2025-06-11
CVEList
Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins2025-06-10
CVE-2025-30675 — Sensitive Information Exposure | cvebase