Description
In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- low
- User Action
- none
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- none
- Availability
- none
- Weaknesses
- CWE-200
Metadata
- Primary Vendor
- APACHE
- Published
- 11/27/2025
- Last Modified
- 12/2/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
apache : cloudstackapache : cloudstack
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.