
CVE-2025-30675 – Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins
https://notcve.org/view.php?id=CVE-2025-30675
10 Jun 2025 — In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boun... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2025-22829 – Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin
https://notcve.org/view.php?id=CVE-2025-22829
10 Jun 2025 — The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue. • https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-269: Improper Privilege Management •

CVE-2025-26521 – Apache CloudStack: CKS cluster in project exposes user API keys
https://notcve.org/view.php?id=CVE-2025-26521
10 Jun 2025 — When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform pri... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVE-2025-47849 – Apache CloudStack: Insecure access of user's API/Secret Keys in the same domain
https://notcve.org/view.php?id=CVE-2025-47849
10 Jun 2025 — A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result i... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-269: Improper Privilege Management •

CVE-2025-47713 – Apache CloudStack: Domain Admin can reset Admin password in Root Domain
https://notcve.org/view.php?id=CVE-2025-47713
10 Jun 2025 — A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource in... • https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 • CWE-269: Improper Privilege Management •