oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-45461: Apache CloudStack Quota plugin: Access checks not enforced in Quota

From: Daniel Augusto Veronezi Salvador <gutoveronezi () apache org>
Date: Tue, 15 Oct 2024 18:30:57 +0000
Severity: moderate

Affected versions:

- Apache CloudStack Quota plugin 4.7.0 through 4.18.2.3
- Apache CloudStack Quota plugin 4.19.0.0 through 4.19.1.1

Description:

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud 
resources, and is disabled by default. In environments where the feature is enabled, due to missing access check 
enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations 
and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where 
the Quota feature is enabled.




Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. 
Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting 
"quota.enable.service" to "false".

Credit:

Fabrício Duarte <fabricio.duarte.jr () gmail com> (reporter)

References:

https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-45461
Previous By Date Next
Previous By Thread Next

Current thread: