#VU100517 Improper privilege management in Apache CloudStack - CVE-2024-50386
Published: November 15, 2024
Vulnerability identifier: #VU100517
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber
CVE-ID: CVE-2024-50386
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache CloudStack
Apache CloudStack
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due the application allows users to register templates to be downloaded directly to the primary storage for deploying instances however does not perform validation checks for KVM-compatible templates. A remote user who can register such templates can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems.
Remediation
Install updates from vendor's website.