Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-45462— Apache CloudStack: Incomplete session invalidation on web interface logout

CVSS 6.3 · Medium EPSS 0.17% · P37
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-45462

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache CloudStack: Incomplete session invalidation on web interface logout
Source: NVD (National Vulnerability Database)
Vulnerability Description
The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
不充分的会话过期机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache CloudStack 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache CloudStack是美国阿帕奇(Apache)基金会的一套基础架构即服务(IaaS)云计算平台。该平台主要用于部署和管理大型虚拟机网络。 Apache CloudStack 4.15.10到4.18.2.3版本和4.19.0.0到4.19.1.1版本存在代码问题漏洞,该漏洞源于用户登出后会话未完全失效,可能导致拥有用户浏览器访问权限的攻击者在会话过期前访问已登出用户账户的资源。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache CloudStack 4.15.1.0 ~ 4.18.2.3 -

II. Public POCs for CVE-2024-45462

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-45462

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2024-10-16 · 6 CVEs total

CVE-2024-452198.5 HIGHApache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-
CVE-2024-456938.0 HIGHApache CloudStack: Request origin validation bypass makes account takeover possible
CVE-2024-454615.7 MEDIUMApache CloudStack Quota plugin: Access checks not enforced in Quota
CVE-2024-45217Apache Solr: ConfigSets created during a backup restore command are trusted implicitly
CVE-2024-45216Apache Solr: Authentication bypass possible using a fake URL Path ending

IV. Related Vulnerabilities

Same product: Apache CloudStack
Same vendor: Apache Software Foundation
Same weakness: CWE-613

V. Comments for CVE-2024-45462

No comments yet

Leave a comment