Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1 Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Wed, 16 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
CPEs cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache cloudstack
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 08:00:00 +0000

Type Values Removed Values Added
Description Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may lead to account takeover, disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1 Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Title Apache CloudStack: Request origin validation bypass makes account takeover possible
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-10-16T07:52:25.816Z

Updated: 2024-10-16T14:57:41.020Z

Reserved: 2024-09-05T00:23:11.078Z

Link: CVE-2024-45693

cve-icon Vulnrichment

Updated: 2024-10-16T08:03:43.602Z

cve-icon NVD

Status : Modified

Published: 2024-10-16T08:15:06.160

Modified: 2024-11-21T09:37:59.820

Link: CVE-2024-45693

cve-icon Redhat

No data.