CVE-2024-45461 Information

Nov 01, 2024 cve

Description

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources and is disabled by default. In environments where the feature is enabled due to missing access check enforcements non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1 where the Quota feature is enabled.

Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2 or later which addresses this issue. Alternatively users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \quota.enable.service\ to alse.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Reference

https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

6.3

Share on: