CVE-2024-41107

HIGH NUCLEI

Apache Cloudstack < 4.18.2.2 - Authentication Bypass by Spoofing

Title source: rule

Description

The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.

Exploits (1)

nomisec WORKING POC 8 stars

by d0rb · poc

https://github.com/d0rb/CVE-2024-41107

View Code ZIP pw:eip

Nuclei Templates (1)

Apache CloudStack - SAML Signature Exclusion

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

FOFA: app="APACHE-CloudStack"

References (6)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/07/19/1

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/07/19/2

[Mitigation, Vendor Advisory] https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107

[Issue Tracking] https://github.com/apache/cloudstack/issues/4519

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3

[Third Party Advisory] https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107

Scores

CVSS v3 8.1

EPSS 0.9200

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-290

Status published

Products (1)

apache/cloudstack 4.5.0 - 4.18.2.2

Published Jul 19, 2024

Tracked Since Feb 18, 2026