Primary

Context

Apache CloudStack Access Control Vulnerability Leading to Unauthorized Data Access

Vulnerability

Patched

An access control vulnerability has been identified in Apache CloudStack versions 4.0.0 prior to 4.20.2 and 4.21.0 prior to 4.22.0. This vulnerability affects several APIs, including createNetworkACL, listNetworkACLs, listResourceDetails, listVirtualMachinesUsageHistory, and listVolumesUsageHistory. While these APIs are restricted to authorized users, the lack of proper permission validation allowed some users to access information beyond their intended limits.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information through the affected APIs.

Remediation

Users are advised to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, both of which address this vulnerability.

Added: Nov 27, 2025, 12:18 PM

Updated: Nov 27, 2025, 1:22 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

5.2

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

5.2

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache CloudStack Access Control Vulnerability Leading to Unauthorized Data Access

Vulnerability

Impact

Remediation

Affected Products

Apache CloudStack

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating