ShapeBlue Security Advisory: Unauthorised access to annotations
The Apache CloudStack project has announced an advisory against CVE-2025-22828 (severity ‘Low’) – Unauthorised access to annotation. Affected Versions Apache CloudStack 4.16.0 or later. Description and Resolution CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions […]
Refinements in Apache CloudStack 4.20: Exploring UI, Security and Network Updates | CloudStack Feature First Look
Introduction Apache CloudStack 4.20 introduces several exciting new features that enhance its functionality and user experience. This blog post will closely examine some of the minor, yet important features included in this latest release. These features include support for network data in Config Drive, the ability to enable security groups in existing advanced zones, a […]
ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.5 and 4.19.1.3
The Apache CloudStack project has announced an advisory against CVE-2024-50386 (severity ‘Important’). CVE-2024-50386: Directly downloaded templates can be used to abuse KVM-based infrastructure Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in […]
ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.4 and 4.19.1.2
The Apache CloudStack project has announced an advisory against CVE-2024-45219 (severity ‘Important’), CVE-2024-45461 (severity ‘Moderate’), CVE-2024-45462 (severity ‘Moderate’) and CVE-2024-45693 (severity ‘Important’), explained below. CVE-2024-45219: Uploaded and registered templates and volumes can abuse KVM-based infrastructure Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for […]
ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.3 and 4.19.1.1
The Apache CloudStack project has announced an advisory against CVE-2024-42062 and CVE-2024-42222, both of severity rating ‘critical’, explained below. CVE-2024-42062: User Key Exposure to Domain Admins CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the […]
ShapeBlue Security Advisory: Apache CloudStack CVE-2024-41107 SAML Signature Exclusion
The Apache CloudStack project has announced an advisory against CVE-2024-41107 that affects CloudStack SAML users, of severity ‘important’ explained below. CVE-2024-41107: SAML Signature Exclusion The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass […]
ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.1 and 4.19.0.2
The Apache CloudStack project has announced an advisory against CVE-2024-38346 and CVE-2024-39864, both of severity rating ‘important’, explained below. CVE-2024-38346: Unauthenticated cluster service port leads to remote execution The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of […]
ShapeBlue Security Advisory : Apache CloudStack Security Releases 4.18.1.1 and 4.19.0.1
Overview Apache CloudStack project has issued an advisory against the following CVEs: CVE-2024-29006: x-forwarded-for HTTP header parsed by default Severity: moderate Description: By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should […]
