CVE-2024-45219

Опубликовано: 16 окт. 2024

Источник: nvd

CVSS3: 8.5

EPSS Низкий

Описание

Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.

Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat fil

Ссылки

https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2
Vendor Advisory
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo
Mailing List
Vendor Advisory
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/
Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/10/15/2
Mailing List

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 4.18.2.4 (исключая)

cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*

Версия от 4.19.0.0 (включая) до 4.19.1.2 (исключая)

EPSS

Процентиль: 64%

0.00468

Низкий

8.5 High

CVSS3

Дефекты

CWE-20

CWE-116

Связанные уязвимости

GHSA-mp22-wph9-qgqx