CVE-2024-41107

HIGH NUCLEI

Apache CloudStack 4.5.0-4.18.2.1 - Authentication Bypass via SAML Response Spoofing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-41107. PoCs published by d0rb. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2024-41107, which targets an authentication bypass vulnerability in Apache CloudStack's SAML implementation. The exploit generates unsigned SAML responses to gain unauthorized access to user accounts.

Description

The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.

Exploits (1)

nomisec WORKING POC 8 stars

by d0rb · poc

https://github.com/d0rb/CVE-2024-41107

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2024-41107, which targets an authentication bypass vulnerability in Apache CloudStack's SAML implementation. The exploit generates unsigned SAML responses to gain unauthorized access to user accounts.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache CloudStack versions 4.5.0 through 4.18.2.1 and 4.19.0.0 through 4.19.0.2

No auth needed

Prerequisites: Target CloudStack instance URL · Python 3.x with requests and beautifulsoup4 libraries

MITRE ATT&CK

T1550.001 - Application Access Token

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Apache CloudStack - SAML Signature Exclusion

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

FOFA: app="APACHE-CloudStack"

References (6)

Core 6

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/07/19/1

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/07/19/2

Mailing List, Vendor Advisory mailing-list

https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3

Mitigation, Vendor Advisory vendor-advisory

https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107

Issue Tracking issue-tracking

https://github.com/apache/cloudstack/issues/4519

Third Party Advisory third-party-advisory

https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107

Scores

CVSS v3 8.1

EPSS 0.1776

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-290

Status published

Products (1)

apache/cloudstack 4.5.0 - 4.18.2.2

Published Jul 19, 2024

Tracked Since Feb 18, 2026