#VU105110 Improper access control in Apache CloudStack - CVE-2025-22828
Published: February 28, 2025
Vulnerability identifier: #VU105110
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-22828
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache CloudStack
Apache CloudStack
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can guess resource UUIDs and read annotations on resources they are not allowed to access.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
As a temporary solution the vendor recommends disabling listAnnotations and addAnnotation API access to non-admin roles.