CVE-2024-45462

Apache CloudStack: Incomplete session invalidation on web interface logout

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.

Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

La operación de cierre de sesión en la interfaz web de CloudStack no hace que la sesión del usuario caduque por completo, lo que es válido hasta que caduque por tiempo o se reinicie el servicio de backend. Un atacante que tenga acceso al navegador de un usuario puede usar una sesión vigente para obtener acceso a los recursos que posee la cuenta de usuario que cerró la sesión. Este problema afecta a Apache CloudStack desde la versión 4.15.1.0 hasta la 4.18.2.3 y desde la versión 4.19.0.0 hasta la 4.19.1.1. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.4 o 4.19.1.2, o una versión posterior, que soluciona este problema.

*Credits: Arthur Souza, Felipe Olivaes

CVSS Scores

Apachev3.1 6.3

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-08-29 CVE Reserved
2024-10-16 CVE Published
2024-10-16 CVE Updated
2024-10-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-613: Insufficient Session Expiration

CAPEC

References (2)

URL	Tag	Source
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo	Mailing List

URL	Date	SRC

URL	Date	SRC
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	2024-10-16

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache CloudStack Search vendor "Apache Software Foundation" for product "Apache CloudStack"				>= 4.15.1.0 <= 4.18.2.3 Search vendor "Apache Software Foundation" for product "Apache CloudStack" and version " >= 4.15.1.0 <= 4.18.2.3"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache CloudStack Search vendor "Apache Software Foundation" for product "Apache CloudStack"				>= 4.19.0.0 <= 4.19.1.1 Search vendor "Apache Software Foundation" for product "Apache CloudStack" and version " >= 4.19.0.0 <= 4.19.1.1"		en		Affected