Insecure Quota Configuration in CloudStack Allowing Unauthorized Access to Quota-Related Data and Configurations
CVE-2024-45461

5.7MEDIUM

Key Information:

Vendor
Apache
Status
Apache Cloudstack Quota Plugin
Vendor
CVE Published:
16 October 2024

Summary

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.

Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".

Affected Version(s)

Apache CloudStack Quota plugin 4.7.0 <= 4.18.2.3

Apache CloudStack Quota plugin 4.19.0.0 <= 4.19.1.1

References

https://cloudstack.apache.org/blog/security-release-advis...
vendor-advisorypatch
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9t...
mailing-list
https://www.shapeblue.com/shapeblue-security-advisory-apa...
third-party-advisory

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.