Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-45461— Apache CloudStack Quota plugin: Access checks not enforced in Quota

CVSS 5.7 · Medium EPSS 0.14% · P34
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-45461

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache CloudStack Quota plugin: Access checks not enforced in Quota
Source: NVD (National Vulnerability Database)
Vulnerability Description
The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache CloudStack 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache CloudStack是美国阿帕奇(Apache)基金会的一套基础架构即服务(IaaS)云计算平台。该平台主要用于部署和管理大型虚拟机网络。 Apache CloudStack 4.7.0到4.18.2.3版本和4.19.0.0到4.19.1.1版本存在安全漏洞,该漏洞源于缺少访问检查强制执行,非管理用户能够访问和修改与配额相关的配置和数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache CloudStack Quota plugin 4.7.0 ~ 4.18.2.3 -

II. Public POCs for CVE-2024-45461

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-45461

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2024-10-16 · 6 CVEs total

CVE-2024-452198.5 HIGHApache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-
CVE-2024-456938.0 HIGHApache CloudStack: Request origin validation bypass makes account takeover possible
CVE-2024-454626.3 MEDIUMApache CloudStack: Incomplete session invalidation on web interface logout
CVE-2024-45217Apache Solr: ConfigSets created during a backup restore command are trusted implicitly
CVE-2024-45216Apache Solr: Authentication bypass possible using a fake URL Path ending

IV. Related Vulnerabilities

Same vendor: Apache Software Foundation
Same weakness: CWE-862

V. Comments for CVE-2024-45461

No comments yet

Leave a comment