CVE-2025-59454

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-59454
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59454.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59454
Published
2025-11-27T12:15:47.550Z
Modified
2026-04-10T05:32:03.657053Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory

While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.

Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.

References

Affected packages

Git / github.com/apache/cloudstack

Affected ranges

Type
GIT
Repo
https://github.com/apache/cloudstack
Events
Introduced
6355965dcd956811dd471a9d03c73dadcf68f480
Fixed
4dc3931233bafb748d5fe2c7e0f6f3499d76bc3a
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f9513b47bf8cda46c2cee7e31d4d662346bc7399
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.20.2.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.21.0.0"
        }
    ]
}

Affected versions

4.*
4.12.0.0
4.16.0.0
4.17.0.0
4.18.0.0
4.20.0.0
4.20.1.0
4.21.0.0
Other
acton-beta1-prerelease-1
ovm3
tag-3.*
tag-3.0.1-prerelease-1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59454.json"