CVE-2025-59454Sensitive Information Exposure in Software Foundation Apache Cloudstack

CWE-200Sensitive Information Exposure3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 67.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache CloudstackApache Cloudstack
Timeline
PublishedNov 27

Description

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDapache/cloudstack4.0.04.20.2.0+1
CVEListV5apache_software_foundation/apache_cloudstack4.0.04.20.2+1

🔴Vulnerability Details

2
GHSA
GHSA-g2p7-38hq-rvj6: In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachine2025-11-27
CVEList
Apache CloudStack: Lack of user permission validation leading to data leak for few APIs2025-11-27
CVE-2025-59454 — Sensitive Information Exposure | cvebase