Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-59454

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.

Published

2025-11-27T12:15:47.550

Last Modified

2025-12-02T14:38:07.577

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	cloudstack	< 4.20.2.0	Yes
Application	apache	cloudstack	4.21.0.0	Yes

References

https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2025/11/27/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)