CVE-2025-22829 — MEDIUM (4.3)

Vulnerability Description

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Cloudstack	4.20.0.0

Related Weaknesses (CWE)

CWE-269

References

https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0Third Party Advisory
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60Mailing ListVendor Advisory
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-securityBroken Link

FAQ

What is CVE-2025-22829?

CVE-2025-22829 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enab...

How severe is CVE-2025-22829?

CVE-2025-22829 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-22829?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Cloudstack.