CVE-2025-59454

MEDIUM

Apache Cloudstack < 4.20.2.0 - Information Disclosure

Title source: rule

Description

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/11/27/3

Scores

CVSS v3 4.3

EPSS 0.0012

EPSS Percentile 31.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (2)

apache/cloudstack < 4.20.2.0

apache/cloudstack

Timeline

Published Nov 27, 2025

Tracked Since Feb 18, 2026