CVE-2024-45461 MEDIUM

CVE-2024-45461: Apache CloudStack Quota plugin: Access checks not enforced in Quota

Vendor Apache Software Foundation

Product Apache CloudStack Quota plugin

Weakness CWE-862 · Missing authorization

Published October 16, 2024

Last update February 21, 2025

View on NVD All CVEs

CVSS base score

5.7/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

What the vulnerability does

Description

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".

Key dates

Disclosure timeline

October 16, 2024 CVE published

February 21, 2025 Record updated

Identifiers

CVE CVE-2024-45461

CWE CWE-862

CVSS 5.7 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache CloudStack Quota plugin

Affected ≥ 4.7.0 and ≤ 4.18.2.3

Vendor Apache Software Foundation

Product Apache CloudStack Quota plugin

Affected ≥ 4.19.0.0 and ≤ 4.19.1.1