CVE-2024-45693

Apache CloudStack: Request origin validation bypass makes account takeover possible

Severity Score

8.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.

This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1

Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

Los usuarios que hayan iniciado sesión en la interfaz web de Apache CloudStack pueden ser engañados para que envíen solicitudes CSRF maliciosas debido a la falta de validación del origen de las solicitudes. Esto puede permitir que un atacante obtenga privilegios y acceso a los recursos de los usuarios autenticados y puede provocar la apropiación de cuentas, interrupciones, exposición de datos confidenciales y comprometer la integridad de los recursos propiedad de la cuenta de usuario que son administrados por la plataforma. Este problema afecta a Apache CloudStack desde la versión 4.15.1.0 hasta la 4.18.2.3 y desde la versión 4.19.0.0 hasta la 4.19.1.1. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.4 o 4.19.1.2, o posterior, que soluciona este problema.

*Credits: Arthur Souza, Felipe Olivaes

CVSS Scores

Apachev3.1 8.0

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-09-05 CVE Reserved
2024-10-16 CVE Published
2024-10-16 CVE Updated
2024-10-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (2)

URL	Tag	Source
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo	Mailing List

URL	Date	SRC

URL	Date	SRC
https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2	2024-10-16

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache CloudStack Search vendor "Apache Software Foundation" for product "Apache CloudStack"				>= 4.15.1.0 <= 4.18.2.3 Search vendor "Apache Software Foundation" for product "Apache CloudStack" and version " >= 4.15.1.0 <= 4.18.2.3"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache CloudStack Search vendor "Apache Software Foundation" for product "Apache CloudStack"				>= 4.19.0.0 <= 4.19.1.1 Search vendor "Apache Software Foundation" for product "Apache CloudStack" and version " >= 4.19.0.0 <= 4.19.1.1"		en		Affected