The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.
Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.
References
Link | Resource |
---|---|
https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 | Third Party Advisory |
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60 | Mailing List Vendor Advisory |
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/ | Broken Link |
Configurations
History
25 Jun 2025, 19:38
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:cloudstack:4.20.0.0:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
First Time |
Apache
Apache cloudstack |
|
References | () https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0 - Third Party Advisory | |
References | () https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60 - Mailing List, Vendor Advisory | |
References | () https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/ - Broken Link |
12 Jun 2025, 16:06
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
10 Jun 2025, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-06-10 23:15
Updated : 2025-06-25 19:38
NVD link : CVE-2025-22829
Mitre link : CVE-2025-22829
CVE.ORG link : CVE-2025-22829
JSON object : View
Products Affected
apache
- cloudstack
CWE
CWE-269
Improper Privilege Management