CVE-2025-47849 (GCVE-0-2025-47849)
Vulnerability from cvelistv5
Published
2025-06-10 23:07
Modified
2025-06-14 03:56
Severity ?
CWE
  • CWE-269 - Improper Privilege Management
Summary
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.  * API privilege comparison: the caller must possess all privileges of the user they are operating on.  * Two new domain-level settings (restricted to the default admin):   - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".   - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
References
security@apache.orghttps://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/Vendor Advisory
security@apache.orghttps://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60Mailing List, Vendor Advisory
security@apache.orghttps://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/Broken Link
Impacted products
Vendor Product Version
Apache Software Foundation Apache CloudStack Version: 4.10.0   
Version: 4.20.0.0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47849",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-14T03:56:15.872Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache CloudStack",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.19.3.0",
              "status": "affected",
              "version": "4.10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20.1.0",
              "status": "affected",
              "version": "4.20.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kevin Li \u003ckli74@apple.com\u003e"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Schmitz \u003csschmitz@ussignal.com\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. \u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eTwo new domain-level settings (restricted to the default admin):\u0026nbsp;\u003cbr\u003e\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u0026nbsp;\u003cbr\u003e\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
            }
          ],
          "value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n\n\n  *  Strict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u00a0\n  *  API privilege comparison: the caller must possess all privileges of the user they are operating on.\u00a0\n  *  Two new domain-level settings (restricted to the default admin):\u00a0\n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u00a0\n\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T23:07:54.526Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
        },
        {
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache CloudStack: Insecure access of user\u0027s API/Secret Keys in the same domain",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-47849",
    "datePublished": "2025-06-10T23:07:54.526Z",
    "dateReserved": "2025-05-12T08:45:45.595Z",
    "dateUpdated": "2025-06-14T03:56:15.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-47849\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-06-10T23:15:58.453\",\"lastModified\":\"2025-07-01T20:13:33.813\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\\n\\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\\n\\n\\n  *  Strict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u00a0\\n  *  API privilege comparison: the caller must possess all privileges of the user they are operating on.\u00a0\\n  *  Two new domain-level settings (restricted to the default admin):\u00a0\\n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \\\"Admin, DomainAdmin, ResourceAdmin\\\".\u00a0\\n\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de escalada de privilegios en Apache CloudStack, versiones 4.10.0.0 a 4.20.0.0, donde un usuario administrador de dominio malintencionado en el dominio ROOT puede obtener la clave API y la clave secreta de las cuentas de usuario con el rol de administrador en el mismo dominio. Esta operaci\u00f3n no est\u00e1 restringida adecuadamente y permite al atacante asumir el control sobre cuentas de usuario con mayores privilegios. Un atacante malintencionado de dominio puede suplantar una cuenta de usuario administrador y obtener acceso a API y recursos confidenciales que podr\u00edan comprometer la integridad y confidencialidad de los recursos, la p\u00e9rdida de datos, la denegaci\u00f3n de servicio y la disponibilidad de la infraestructura administrada por CloudStack. Se recomienda a los usuarios actualizar a Apache CloudStack 4.19.3.0 o 4.20.1.0, que soluciona el problema con lo siguiente: * Validaci\u00f3n estricta en la jerarqu\u00eda de tipos de rol: el rol del llamante debe ser igual o superior al rol del usuario objetivo. * Comparaci\u00f3n de privilegios de API: el usuario que realiza la llamada debe tener todos los privilegios del usuario con el que opera. * Dos nuevas configuraciones a nivel de dominio (restringidas al administrador predeterminado): - role.types.allowed.for.operations.on.accounts.of.same.role.type: Define qu\u00e9 tipos de rol pueden actuar sobre usuarios del mismo tipo. Predeterminado: \\\"Admin, DomainAdmin, ResourceAdmin\\\". - allow.operations.on.users.in.same.account: Permite o impide las operaciones de usuario dentro de la misma cuenta. Predeterminado: true.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0.0\",\"versionEndExcluding\":\"4.19.3.0\",\"matchCriteriaId\":\"F76F9027-3B50-4AEA-8E3D-E0C8A4E256A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20.0.0\",\"versionEndExcluding\":\"4.20.1.0\",\"matchCriteriaId\":\"67E1FECD-94E6-4B2A-A52D-47D7FC8C9B10\"}]}]}],\"references\":[{\"url\":\"https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/\",\"source\":\"security@apache.org\",\"tags\":[\"Broken Link\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47849\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-11T13:44:38.350448Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-11T13:45:07.392Z\"}}], \"cna\": {\"title\": \"Apache CloudStack: Insecure access of user\u0027s API/Secret Keys in the same domain\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Kevin Li \u003ckli74@apple.com\u003e\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Scott Schmitz \u003csschmitz@ussignal.com\u003e\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache CloudStack\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.10.0\", \"lessThan\": \"4.19.3.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.20.0.0\", \"lessThan\": \"4.20.1.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60\", \"tags\": [\"mailing-list\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\\n\\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\\n\\n\\n  *  Strict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\\u00a0\\n  *  API privilege comparison: the caller must possess all privileges of the user they are operating on.\\u00a0\\n  *  Two new domain-level settings (restricted to the default admin):\\u00a0\\n\\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \\\"Admin, DomainAdmin, ResourceAdmin\\\".\\u00a0\\n\\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003e\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. \u003c/span\u003e\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\\\"background-color: rgba(232, 232, 232, 0.04);\\\"\u003eTwo new domain-level settings (restricted to the default admin):\u0026nbsp;\u003cbr\u003e\\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \\\"Admin, DomainAdmin, ResourceAdmin\\\".\u0026nbsp;\u003cbr\u003e\\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-06-10T23:07:54.526Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-47849\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-14T03:56:15.872Z\", \"dateReserved\": \"2025-05-12T08:45:45.595Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-06-10T23:07:54.526Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.