CVE-2025-22829

MEDIUM

Apache Cloudstack - Improper Privilege Management

Title source: rule

Description

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

References (3)

Scores

CVSS v3 4.3
EPSS 0.0019
EPSS Percentile 41.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE
CWE-269
Status published

Affected Products (1)

apache/cloudstack

Timeline

Published Jun 10, 2025
Tracked Since Feb 18, 2026