{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45461", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-08-29T08:55:51.392Z", "datePublished": "2024-10-16T07:54:15.484Z", "dateUpdated": "2024-10-16T14:50:22.959Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache CloudStack Quota plugin", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.18.2.3", "status": "affected", "version": "4.7.0", "versionType": "semver"}, {"lessThanOrEqual": "4.19.1.1", "status": "affected", "version": "4.19.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Fabr\u00edcio Duarte <fabricio.duarte.jr@gmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.</div><div><br></div><span style=\"background-color: rgb(252, 252, 252);\">Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.&nbsp;</span>Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\"."}], "value": "The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u00a0Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\"."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-16T07:54:15.484Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"}, {"tags": ["mailing-list"], "url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"}, {"tags": ["third-party-advisory"], "url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"}], "source": {"discovery": "INTERNAL"}, "title": "Apache CloudStack Quota plugin: Access checks not enforced in Quota", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/15/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-16T08:03:40.636Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-16T14:50:13.034595Z", "id": "CVE-2024-45461", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T14:50:22.959Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/15/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-16T08:03:40.636Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45461", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-16T14:50:13.034595Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T14:50:18.971Z"}}], "cna": {"title": "Apache CloudStack Quota plugin: Access checks not enforced in Quota", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Fabr\u00edcio Duarte <fabricio.duarte.jr@gmail.com>"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache CloudStack Quota plugin", "versions": [{"status": "affected", "version": "4.7.0", "versionType": "semver", "lessThanOrEqual": "4.18.2.3"}, {"status": "affected", "version": "4.19.0.0", "versionType": "semver", "lessThanOrEqual": "4.19.1.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2", "tags": ["vendor-advisory", "patch"]}, {"url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo", "tags": ["mailing-list"]}, {"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u00a0Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\".", "supportingMedia": [{"type": "text/html", "value": "<div>The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.</div><div><br></div><span style=\"background-color: rgb(252, 252, 252);\">Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.&nbsp;</span>Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\".", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-16T07:54:15.484Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45461", "state": "PUBLISHED", "dateUpdated": "2024-10-16T14:50:22.959Z", "dateReserved": "2024-08-29T08:55:51.392Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-10-16T07:54:15.484Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0AC5324-15B3-4E0F-AC67-84C754F9337C", "versionEndExcluding": "4.18.2.4", "versionStartIncluding": "4.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B851F50-43E1-4DD1-989E-94676D12EC33", "versionEndExcluding": "4.19.1.2", "versionStartIncluding": "4.19.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud resources, and is disabled by default. In environments where the feature is enabled, due to missing access check enforcements, non-administrative CloudStack user accounts are able to access and modify quota-related configurations and data. This issue affects Apache CloudStack from 4.7.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1, where the Quota feature is enabled.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.\u00a0Alternatively, users that do not use the Quota feature are advised to disabled the plugin by setting the global setting \"quota.enable.service\" to \"false\"."}, {"lang": "es", "value": "La funci\u00f3n Cuota de CloudStack permite a los administradores de la nube implementar un sistema de cuota o l\u00edmite de uso para los recursos de la nube y est\u00e1 deshabilitada de forma predeterminada. En los entornos donde la funci\u00f3n est\u00e1 habilitada, debido a la falta de cumplimiento de las comprobaciones de acceso, las cuentas de usuario no administrativas de CloudStack pueden acceder y modificar las configuraciones y los datos relacionados con la cuota. Este problema afecta a Apache CloudStack desde la versi\u00f3n 4.7.0 hasta la 4.18.2.3 y desde la versi\u00f3n 4.19.0.0 hasta la 4.19.1.1, donde la funci\u00f3n Cuota est\u00e1 habilitada. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.4 o 4.19.1.2, o posterior, que soluciona este problema. Como alternativa, se recomienda a los usuarios que no usan la funci\u00f3n Cuota que deshabiliten el complemento configurando la configuraci\u00f3n global \"quota.enable.service\" en \"false\"."}], "id": "CVE-2024-45461", "lastModified": "2024-10-17T20:50:10.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.7, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2024-10-16T08:15:05.717", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"}, {"source": "security@apache.org", "url": "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@apache.org", "type": "Secondary"}]}

{}