cvelistv5 - cve-2025-22828

cve-2025-22828

Vulnerability from cvelistv5

Published

2025-01-13 12:47

Modified

2025-01-13 19:02

Severity ?

Summary

CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact. CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.

References

▼	URL	Tags
	security@apache.org	https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/01/13/1

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache CloudStack	Version: 4.16.0 ≤ *

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "NONE",
                     baseScore: 4.3,
                     baseSeverity: "MEDIUM",
                     confidentialityImpact: "LOW",
                     integrityImpact: "NONE",
                     privilegesRequired: "LOW",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2025-22828",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-13T17:24:45.749950Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-13T17:25:25.072Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2025-01-13T19:02:32.935Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "http://www.openwall.com/lists/oss-security/2025/01/13/1",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache CloudStack",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "*",
                     status: "affected",
                     version: "4.16.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               value: "Alex Perrakis <alexperrakis1@gmail.com>",
            },
            {
               lang: "en",
               type: "reporter",
               value: "Efstratios Chatzoglou <efchatzoglou@gmail.com>",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<div>CloudStack users can add and read comments (annotations) on resources they are authorised to access.&nbsp;</div><div>Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.&nbsp;</div><div>An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.&nbsp;</div><div>This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.</div><br><div>CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.</div><br>",
                  },
               ],
               value: "CloudStack users can add and read comments (annotations) on resources they are authorised to access. \n\nDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. \n\nAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. \n\nThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.\n\n\nCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "Low",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-200",
                     description: "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-01-13T12:47:51.619Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Apache CloudStack: Unauthorised access to annotations",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2025-22828",
      datePublished: "2025-01-13T12:47:51.619Z",
      dateReserved: "2025-01-07T22:13:56.892Z",
      dateUpdated: "2025-01-13T19:02:32.935Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2025-22828\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-01-13T13:16:12.233\",\"lastModified\":\"2025-01-13T19:15:11.373\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CloudStack users can add and read comments (annotations) on resources they are authorised to access. \\n\\nDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. \\n\\nAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. \\n\\nThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.\\n\\n\\nCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.\"},{\"lang\":\"es\",\"value\":\"Los usuarios de CloudStack pueden agregar y leer comentarios (anotaciones) en los recursos a los que están autorizados a acceder. Debido a un problema de validación de acceso que afecta a las versiones de Apache CloudStack desde la 4.16.0, los usuarios que tienen acceso, acceso previo o conocimiento de los UUID de los recursos pueden enumerar y agregar comentarios (anotaciones) a dichos recursos. Un atacante con una cuenta de usuario y acceso o conocimiento previo de los UUID de los recursos puede aprovechar este problema para leer el contenido de los comentarios (anotaciones) o agregar comentarios maliciosos (anotaciones) a dichos recursos. Esto puede provocar una posible pérdida de confidencialidad de los entornos y recursos de CloudStack si los comentarios (anotaciones) contienen información privilegiada. Sin embargo, adivinar o forzar brutamente los UUID de los recursos es generalmente difícil o imposible y el acceso para enumerar o agregar comentarios no es lo mismo que el acceso a los recursos de CloudStack, lo que hace que este problema sea de muy baja gravedad y, en general, de bajo impacto. Los administradores de CloudStack también pueden prohibir el acceso a la API listAnnotations y addAnnotation a roles que no sean de administrador en su entorno como medida provisional.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/01/13/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/01/13/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-01-13T19:02:32.935Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22828\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-13T17:24:45.749950Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-13T17:25:10.476Z\"}}], \"cna\": {\"title\": \"Apache CloudStack: Unauthorised access to annotations\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Alex Perrakis <alexperrakis1@gmail.com>\"}, {\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Efstratios Chatzoglou <efchatzoglou@gmail.com>\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"Low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache CloudStack\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.16.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"*\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CloudStack users can add and read comments (annotations) on resources they are authorised to access.\\u00a0\\n\\nDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.\\u00a0\\n\\nAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.\\u00a0\\n\\nThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.\\n\\n\\nCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"<div>CloudStack users can add and read comments (annotations) on resources they are authorised to access.&nbsp;</div><div>Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.&nbsp;</div><div>An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.&nbsp;</div><div>This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.</div><br><div>CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.</div><br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-01-13T12:47:51.619Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2025-22828\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-13T19:02:32.935Z\", \"dateReserved\": \"2025-01-07T22:13:56.892Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-01-13T12:47:51.619Z\", \"assignerShortName\": \"apache\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

ghsa-7jhp-8mw7-9mrw

Vulnerability from github

Published

2025-01-13 15:30

Modified

2025-01-13 21:30

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CloudStack users can add and read comments (annotations) on resources they are authorised to access.

Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources.

An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources.

This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.

CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2025-22828",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-200",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2025-01-13T13:16:12Z",
      severity: "MODERATE",
   },
   details: "CloudStack users can add and read comments (annotations) on resources they are authorised to access. \n\nDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. \n\nAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. \n\nThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.\n\n\nCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.",
   id: "GHSA-7jhp-8mw7-9mrw",
   modified: "2025-01-13T21:30:52Z",
   published: "2025-01-13T15:30:49Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2025-22828",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs",
      },
      {
         type: "WEB",
         url: "http://www.openwall.com/lists/oss-security/2025/01/13/1",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
         type: "CVSS_V3",
      },
   ],
}

fkie_cve-2025-22828

Vulnerability from fkie_nvd

Published

2025-01-13 13:16

Modified

2025-01-13 19:15

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

▼	URL	Tags
	security@apache.org	https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/01/13/1

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "CloudStack users can add and read comments (annotations) on resources they are authorised to access. \n\nDue to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. \n\nAn attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. \n\nThis may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact.\n\n\nCloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.",
      },
      {
         lang: "es",
         value: "Los usuarios de CloudStack pueden agregar y leer comentarios (anotaciones) en los recursos a los que están autorizados a acceder. Debido a un problema de validación de acceso que afecta a las versiones de Apache CloudStack desde la 4.16.0, los usuarios que tienen acceso, acceso previo o conocimiento de los UUID de los recursos pueden enumerar y agregar comentarios (anotaciones) a dichos recursos. Un atacante con una cuenta de usuario y acceso o conocimiento previo de los UUID de los recursos puede aprovechar este problema para leer el contenido de los comentarios (anotaciones) o agregar comentarios maliciosos (anotaciones) a dichos recursos. Esto puede provocar una posible pérdida de confidencialidad de los entornos y recursos de CloudStack si los comentarios (anotaciones) contienen información privilegiada. Sin embargo, adivinar o forzar brutamente los UUID de los recursos es generalmente difícil o imposible y el acceso para enumerar o agregar comentarios no es lo mismo que el acceso a los recursos de CloudStack, lo que hace que este problema sea de muy baja gravedad y, en general, de bajo impacto. Los administradores de CloudStack también pueden prohibir el acceso a la API listAnnotations y addAnnotation a roles que no sean de administrador en su entorno como medida provisional.",
      },
   ],
   id: "CVE-2025-22828",
   lastModified: "2025-01-13T19:15:11.373",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "LOW",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 1.4,
            source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            type: "Secondary",
         },
      ],
   },
   published: "2025-01-13T13:16:12.233",
   references: [
      {
         source: "security@apache.org",
         url: "https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.openwall.com/lists/oss-security/2025/01/13/1",
      },
   ],
   sourceIdentifier: "security@apache.org",
   vulnStatus: "Awaiting Analysis",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-200",
            },
         ],
         source: "security@apache.org",
         type: "Secondary",
      },
   ],
}

wid-sec-w-2025-0052

Vulnerability from csaf_certbund

Published

2025-01-13 23:00

Modified

2025-01-13 23:00

Summary

Apache CloudStack: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache CloudStack ist eine Sofwareplattform zum Verwalten großer Netzwerke von virtuellen Maschienen als eine hoch verfügbare, hoch skalierbare Infrastructure as a Service (IaaS) Cloud Computing Plattform. CloudStack wurde von Citrix entwicklet und anschließend über Apache als Open Source Software zur Verfügung gestellt.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Linux - UNIX

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "mittel",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Apache CloudStack ist eine Sofwareplattform zum Verwalten großer Netzwerke von virtuellen Maschienen als eine hoch verfügbare, hoch skalierbare Infrastructure as a Service (IaaS) Cloud Computing Plattform. CloudStack wurde von Citrix entwicklet und anschließend über Apache als Open Source Software zur Verfügung gestellt.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- UNIX",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2025-0052 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0052.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2025-0052 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0052",
         },
         {
            category: "external",
            summary: "CloudStack Blog vom 2025-01-13",
            url: "https://cloudstack.apache.org/blog/unauthorised-access-to-annotations",
         },
         {
            category: "external",
            summary: "GitHub Advisory Database vom 2025-01-13",
            url: "https://github.com/advisories/GHSA-7jhp-8mw7-9mrw",
         },
         {
            category: "external",
            summary: "OSS Security Mailing List vom 2025-01-13",
            url: "https://seclists.org/oss-sec/2025/q1/13",
         },
      ],
      source_lang: "en-US",
      title: "Apache CloudStack: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen",
      tracking: {
         current_release_date: "2025-01-13T23:00:00.000+00:00",
         generator: {
            date: "2025-01-14T10:33:13.845+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.10",
            },
         },
         id: "WID-SEC-W-2025-0052",
         initial_release_date: "2025-01-13T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2025-01-13T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: ">=4.16.0",
                        product: {
                           name: "Apache CloudStack >=4.16.0",
                           product_id: "1201080",
                        },
                     },
                     {
                        category: "product_version_range",
                        name: ">=4.16.0",
                        product: {
                           name: "Apache CloudStack >=4.16.0",
                           product_id: "1201080-fixed",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "CloudStack",
               },
            ],
            category: "vendor",
            name: "Apache",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2025-22828",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Apache CloudStack. Aufgrund eines Zugriffsvalidierungsproblems können Benutzer unbefugt Kommentare auflisten, hinzufügen, bearbeiten und löschen. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen",
            },
         ],
         release_date: "2025-01-13T23:00:00.000+00:00",
         title: "CVE-2025-22828",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2025-22828

Vulnerability from cvelistv5

ghsa-7jhp-8mw7-9mrw

Vulnerability from github

fkie_cve-2025-22828

Vulnerability from fkie_nvd

wid-sec-w-2025-0052

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature