CVE-2025-22829

10.06.2025, 23:15

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.

Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
apache	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Vulnerability Media Exposure

[GERMAN] Apache CloudStack: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache CloudStack ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen und um seine Privilegien zu erweitern.
Published: 2025-06-10T22:00:00+00:00

References

https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60

https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/