CVE-2024-45693 HIGH

CVE-2024-45693: Apache CloudStack: Request origin validation bypass makes account takeover possible

Vendor Apache Software Foundation

Product Apache CloudStack

Weakness CWE-352 · CSRF

Published October 16, 2024

Last update October 16, 2024

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

Description

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1 Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

Key dates

Disclosure timeline

October 16, 2024 CVE published

October 16, 2024 Record updated

Identifiers

CVE CVE-2024-45693

CWE CWE-352

CVSS 8.0 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache CloudStack

Affected ≥ 4.15.1.0 and ≤ 4.18.2.3

Vendor Apache Software Foundation

Product Apache CloudStack

Affected ≥ 4.19.0.0 and ≤ 4.19.1.1