Reza

**Name of the Vulnerable Software and Affected Versions** Apache CloudStack versions prior to 4.20.3.0 Apache CloudStack versions prior to 4.22.0.1 **Description** Account users can register templates for direct download to primary storage when deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on KVM hosts. This may lead to the compromise of resource integrity and confidentiality, data loss, denial of service, and loss of availability of the KVM-based infrastructure managed by CloudStack. **Recommendations** Upgrade to version 4.20.3.0 or later. Upgrade to version 4.22.0.1 or later.