CVE-2024-45693

16.10.2024, 08:15

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the authenticated users and may leadto account takeover,disruption, exposure of sensitive data and compromise integrity of the resources owned by the user account that are managed by the platform.

This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1

Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
apache	CNA	8 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Vendor	Product	Version
apache	cloudstack	4.18.2.3 ≤ 𝑥 ≤ 4.18.2.3
apache	cloudstack	4.19.1.1 ≤ 𝑥 ≤ 4.19.1.1
apache	cloudstack	4.15.1.0 ≤ 𝑥 < 4.18.2.4
apache	cloudstack	4.19.0.0 ≤ 𝑥 < 4.19.1.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo

http://www.openwall.com/lists/oss-security/2024/10/15/5