The Apache CloudStack project announced today the release of LTS versions 4.20.2.0 and 4.22.0.0, which address CVE-2025-59302 and CVE-2025-59454 – both low-severity vulnerabilities affecting CloudStack users as described below.
CVE-2025-59302: Exposure of Sensitive Information to an Unauthorised Actor
In Apache CloudStack, improper control of generation of code (‘Code Injection’) vulnerability is found in the following APIs which are accessible only to admins.
– quotaTariffCreate
– quotaTariffUpdate
– createSecondaryStorageSelector
– updateSecondaryStorageSelector
– updateHost
– updateStorage
The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.
CVE-2025-59454: Exposure of Sensitive Information to an Unauthorised Actor
In Apache CloudStack, a gap in access control checks affected the APIs
– createNetworkACL
– listNetworkACLs
– listResourceDetails
– listVirtualMachinesUsageHistory
– listVolumesUsageHistory
While these APIs were accessible only to authorised users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.
Affected Versions
CVE-2025-59302: Apache CloudStack 4.18.0.0 through 4.20.1.0 and 4.21.0.0
CVE-2025-59454: Apache CloudStack 4.0.0 through 4.20.1.0 and 4.21.0.0
Resolution
Affected users are recommended to upgrade to version 4.20.2.0, 4.22.0.0 or later, which addresses these issues.
Release Notes
The 4.20.2.0 and 4.22.0.0 release notes can be found at:
https://ift.tt/SCXq39g
https://ift.tt/MxEDvXF
The post ShapeBlue Security Advisory for CVE-2025-59302 and CVE-2025-59454 appeared first on ShapeBlue.
from CloudStack Consultancy & CloudStack... https://ift.tt/aiNxeSC
via IFTTT
No comments:
Post a Comment