CVE-2024-45461

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	Vendor Advisory
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo	Vendor Advisory
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/
http://www.openwall.com/lists/oss-security/2024/10/15/3

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:cloudstack::::::::
	cpe:2.3:a:apache:cloudstack::::::::

History

12 Feb 2025, 10:15

Type	Values Removed	Values Added
CWE	~~CWE-269~~
References		() https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/ -

Information

Published : 2024-10-16 08:15

Updated : 2025-02-12 10:15

NVD link : CVE-2024-45461

Mitre link : CVE-2024-45461

CVE.ORG link : CVE-2024-45461

JSON object : View

Products Affected

apache

cloudstack

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-45461", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 0.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2024-10-16T08:15:05.717", "references": [{"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/", "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/15/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u00a0Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\"."}, {"lang": "es", "value": "La funci\u00f3n Cuota de CloudStack permite a los administradores de la nube implementar un sistema de cuota o l\u00edmite de uso para los recursos de la nube y est\u00e1 deshabilitada de forma predeterminada. En los entornos donde la funci\u00f3n est\u00e1 habilitada, debido a la falta de cumplimiento de las comprobaciones de acceso, las cuentas de usuario no administrativas de CloudStack pueden acceder y modificar las configuraciones y los datos relacionados con la cuota. Este problema afecta a Apache CloudStack desde la versi\u00f3n 4.7.0 hasta la 4.18.2.3 y desde la versi\u00f3n 4.19.0.0 hasta la 4.19.1.1, donde la funci\u00f3n Cuota est\u00e1 habilitada. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.4 o 4.19.1.2, o posterior, que soluciona este problema. Como alternativa, se recomienda a los usuarios que no usan la funci\u00f3n Cuota que deshabiliten el complemento configurando la configuraci\u00f3n global \"quota.enable.service\" en \"false\"."}], "lastModified": "2025-02-12T10:15:13.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0AC5324-15B3-4E0F-AC67-84C754F9337C", "versionEndExcluding": "4.18.2.4", "versionStartIncluding": "4.7.0"}, {"criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B851F50-43E1-4DD1-989E-94676D12EC33", "versionEndExcluding": "4.19.1.2", "versionStartIncluding": "4.19.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}