CVE-2025-22828

The software that is vulnerable is Apache CloudStack, specifically versions from 4.16.0 onwards. The vulnerability is an access validation issue that allows unauthorized access to annotations, which can lead to potential loss of confidentiality of CloudStack environments and resources if the comments contain privileged information. An attacker with a user account and access or prior knowledge of resource UUIDs can exploit this issue to read contents of the comments or add malicious comments to resources. However, guessing or brute-forcing resource UUIDs is generally hard to impossible, and access to listing or adding comments isn't the same as access to CloudStack resources, making this issue of very low severity and general low impact. There is no public exploit available for this vulnerability, and it is not known to have been exploited by attackers. CloudStack admins can disallow listAnnotations and addAnnotation API access to non-admin roles as an interim measure to address this issue.

#ApacheCloudStack #CVE202522828 #UnauthorisedAccess #Annotations #CloudSecurity #Vulnerability #LowSeverity #LowImpact