Vulnerability Description
The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cloudstack | >= 4.7.0, < 4.18.2.4 |
Related Weaknesses (CWE)
References
- https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2Vendor Advisory
- https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvloVendor Advisory
- https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security
- http://www.openwall.com/lists/oss-security/2024/10/15/3
FAQ
What is CVE-2024-45461?
CVE-2024-45461 is a vulnerability with a CVSS score of 5.7 (MEDIUM). The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due t...
How severe is CVE-2024-45461?
CVE-2024-45461 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-45461?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cloudstack.