The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".
History

Thu, 17 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
Weaknesses CWE-862
CPEs cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache cloudstack

Wed, 16 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 08:00:00 +0000

Type Values Removed Values Added
Description The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting "quota.enable.service" to "false".
Title Apache CloudStack Quota plugin: Access checks not enforced in Quota
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-10-16T07:54:15.484Z

Updated: 2024-10-16T14:50:22.959Z

Reserved: 2024-08-29T08:55:51.392Z

Link: CVE-2024-45461

cve-icon Vulnrichment

Updated: 2024-10-16T08:03:40.636Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-16T08:15:05.717

Modified: 2024-10-17T20:50:10.550

Link: CVE-2024-45461

cve-icon Redhat

No data.