PT-2024-22665 · Unknown · Cloudstack
Yuyang Xiao
·
Published
2024-04-04
·
Updated
2024-04-05
·
CVE-2024-29006
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
CloudStack versions prior to 4.18.1.1
CloudStack versions prior to 4.19.0.1
Description
The CloudStack management server honors the
x-forwarded-for HTTP header and logs it as the source IP of an API request by default. This could lead to authentication bypass and other operational problems if an attacker spoofs their IP address.Recommendations
For versions prior to 4.18.1.1, upgrade to CloudStack version 4.18.1.1.
For versions prior to 4.19.0.1, upgrade to CloudStack version 4.19.0.1.
Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloudstack