Improper privilege management in Apache CloudStack - CVE-2024-50386

 

Improper privilege management in Apache CloudStack - CVE-2024-50386

Published: November 15, 2024


Vulnerability identifier: #VU100517
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber
CVE-ID: CVE-2024-50386
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache CloudStack

Detailed vulnerability description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due the application allows users to register templates to be downloaded directly to the primary storage for deploying instances however does not perform validation checks for KVM-compatible templates. A remote user who can register such templates can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems.


How to mitigate CVE-2024-50386

Install updates from vendor's website.

Sources