Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-45461

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".

Published

2024-10-16T08:15:05.717

Last Modified

2025-02-12T10:15:13.277

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.7 (MEDIUM)

Weaknesses

Type: Secondary
CWE-862
Type: Secondary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	cloudstack	< 4.18.2.4	Yes
Application	apache	cloudstack	< 4.19.1.2	Yes

References

https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 Vendor Advisory ([email protected])
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo Vendor Advisory ([email protected])
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/ ([email protected])
http://www.openwall.com/lists/oss-security/2024/10/15/3 (af854a3a-2127-422b-91ae-364da2661108)