CVE-2024-29007

CVE-2024-29007: Apache CloudStack: When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequences

Vendor Apache Software Foundation

Product Apache CloudStack

Weakness CWE-918 · SSRF

Published April 4, 2024

Last update November 12, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.

Key dates

Disclosure timeline

April 4, 2024 CVE published

November 12, 2024 Record updated

Identifiers

CVE CVE-2024-29007

CWE CWE-918

Affected versions

Vendor Apache Software Foundation

Product Apache CloudStack

Affected ≥ 4.9.1.0 and ≤ 4.18.1.0

Vendor Apache Software Foundation

Product Apache CloudStack

Affected 4.19.0.0