The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.
Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 17 Oct 2024 20:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache cloudstack |
|
CPEs | cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache cloudstack |
Wed, 16 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache Software Foundation
Apache Software Foundation apache Cloudstack |
|
CPEs | cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache Software Foundation
Apache Software Foundation apache Cloudstack |
|
Metrics |
ssvc
|
Wed, 16 Oct 2024 08:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. | |
Title | Apache CloudStack: Incomplete session invalidation on web interface logout | |
Weaknesses | CWE-613 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-10-16T07:53:40.129Z
Updated: 2024-10-16T14:54:34.977Z
Reserved: 2024-08-29T08:57:32.948Z
Link: CVE-2024-45462
Vulnrichment
Updated: 2024-10-16T08:03:42.134Z
NVD
Status : Modified
Published: 2024-10-16T08:15:05.933
Modified: 2024-11-21T09:37:48.420
Link: CVE-2024-45462
Redhat
No data.