cve-2024-45461
Vulnerability from cvelistv5
Published
2024-10-16 07:54
Modified
2024-10-16 14:50
Severity ?
EPSS score ?
Summary
The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache CloudStack Quota plugin |
Version: 4.7.0 ≤ 4.18.2.3 Version: 4.19.0.0 ≤ 4.19.1.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-16T08:03:40.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/10/15/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T14:50:13.034595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T14:50:22.959Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack Quota plugin",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.3",
"status": "affected",
"version": "4.7.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.1",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Fabr\u00edcio Duarte \u003cfabricio.duarte.jr@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThe CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u0026nbsp;\u003c/span\u003eAlternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\"."
}
],
"value": "The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u00a0Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\"."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T07:54:15.484Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache CloudStack Quota plugin: Access checks not enforced in Quota",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45461",
"datePublished": "2024-10-16T07:54:15.484Z",
"dateReserved": "2024-08-29T08:55:51.392Z",
"dateUpdated": "2024-10-16T14:50:22.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45461\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-10-16T08:15:05.717\",\"lastModified\":\"2024-11-21T09:37:48.267\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.\\n\\n\\n\\n\\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u00a0Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \\\"quota.enable.service\\\" to \\\"false\\\".\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n Cuota de CloudStack permite a los administradores de la nube implementar un sistema de cuota o l\u00edmite de uso para los recursos de la nube y est\u00e1 deshabilitada de forma predeterminada. En los entornos donde la funci\u00f3n est\u00e1 habilitada, debido a la falta de cumplimiento de las comprobaciones de acceso, las cuentas de usuario no administrativas de CloudStack pueden acceder y modificar las configuraciones y los datos relacionados con la cuota. Este problema afecta a Apache CloudStack desde la versi\u00f3n 4.7.0 hasta la 4.18.2.3 y desde la versi\u00f3n 4.19.0.0 hasta la 4.19.1.1, donde la funci\u00f3n Cuota est\u00e1 habilitada. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.4 o 4.19.1.2, o posterior, que soluciona este problema. Como alternativa, se recomienda a los usuarios que no usan la funci\u00f3n Cuota que deshabiliten el complemento configurando la configuraci\u00f3n global \\\"quota.enable.service\\\" en \\\"false\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.7.0\",\"versionEndExcluding\":\"4.18.2.4\",\"matchCriteriaId\":\"E0AC5324-15B3-4E0F-AC67-84C754F9337C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.0.0\",\"versionEndExcluding\":\"4.19.1.2\",\"matchCriteriaId\":\"6B851F50-43E1-4DD1-989E-94676D12EC33\"}]}]}],\"references\":[{\"url\":\"https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/10/15/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.