CVE-2025-59454
BaseFortify
Publication date: 2025-11-27
Last updated on: 2025-12-02
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | cloudstack | From 4.0.0 (inc) to 4.20.2.0 (exc) |
| apache | cloudstack | 4.21.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache CloudStack involves a gap in access control checks for several APIs (createNetworkACL, listNetworkACLs, listResourceDetails, listVirtualMachinesUsageHistory, listVolumesUsageHistory). Although these APIs are intended to be accessible only to authorized users, insufficient permission validation allowed users to sometimes access information beyond their authorized scope.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive information through certain APIs, potentially exposing data that users should not have access to. This could result in information disclosure and compromise of data confidentiality within the affected Apache CloudStack environment.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache CloudStack versions 4.20.2.0 or 4.22.0.0, which contain fixes for this vulnerability.