Apache CloudStack: Lack of user permission validation leading to data...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL
- listNetworkACLs
- listResourceDetails
- listVirtualMachinesUsageHistory
- listVolumesUsageHistory

While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.

Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.

Basic Information

ID CVE-2025-59454

Source apache

Published Nov 27, 2025 at 11:40

Modified Nov 28, 2025 at 15:41

Affected Product

Vendor Apache Software Foundation

Product Apache CloudStack

Version 4.0.0

Affected Versions Apache Software Foundation Apache CloudStack 4.0.0
Apache Software Foundation Apache CloudStack 4.21.0

CWE Classification

CWE-200

References

lists.apache.org /thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc

{
    "lastseen": "",
    "description": "In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL\n- listNetworkACLs\n- listResourceDetails\n- listVirtualMachinesUsageHistory\n- listVolumesUsageHistory\n\nWhile these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.\n\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.",
    "published": "2025-11-27T11:40:40.043Z",
    "modified": "2025-11-28T15:41:44.599Z",
    "type": "cve",
    "title": "Apache CloudStack: Lack of user permission validation leading to data leak for few APIs",
    "source": "apache",
    "references": "https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc",
    "id": "CVE-2025-59454",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache CloudStack 4.0.0\nApache Software Foundation Apache CloudStack 4.21.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache CloudStack",
    "version": "4.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache CloudStack: Lack of user permission validation leading to data leak for few APIs_CVE-2025-59454