The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
History

Thu, 17 Oct 2024 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
CPEs cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache cloudstack

Wed, 16 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache Software Foundation
Apache Software Foundation apache Cloudstack
CPEs cpe:2.3:a:apache_software_foundation:apache_cloudstack:*:*:*:*:*:*:*:*
Vendors & Products Apache Software Foundation
Apache Software Foundation apache Cloudstack
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 08:00:00 +0000

Type Values Removed Values Added
Description The logout operation in the CloudStack web interface does not expire the user session completely which is valid until expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired session to gain access to resources owned by the logged out user account. This issue affects Apache CloudStack from 4.15.1.0 through 4.18.2.3; and from 4.19.0.0 through 4.19.1.1. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue.
Title Apache CloudStack: Incomplete session invalidation on web interface logout
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-10-16T07:53:40.129Z

Updated: 2024-10-16T14:54:34.977Z

Reserved: 2024-08-29T08:57:32.948Z

Link: CVE-2024-45462

cve-icon Vulnrichment

Updated: 2024-10-16T08:03:42.134Z

cve-icon NVD

Status : Modified

Published: 2024-10-16T08:15:05.933

Modified: 2024-11-21T09:37:48.420

Link: CVE-2024-45462

cve-icon Redhat

No data.