CVE-2024-45462

EUVD-2024-41492

16.10.2024, 08:15

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1.




Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.3 MEDIUM	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
apache	CNA	6.3 MEDIUM	LOCAL	HIGH	NONE	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 34%

Affected Products (NVD)

Vendor	Product	Version
apache_software_foundation	apache_cloudstack	4.18.2.3 ≤ 𝑥 ≤ 4.18.2.3
apache_software_foundation	apache_cloudstack	4.19.1.1 ≤ 𝑥 ≤ 4.19.1.1
apache	cloudstack	4.15.1.0 ≤ 𝑥 < 4.18.2.4
apache	cloudstack	4.19.0.0 ≤ 𝑥 < 4.19.1.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-613 - Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo

http://www.openwall.com/lists/oss-security/2024/10/15/4