- Description
- CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStack versions from 4.16.0, users who have access, prior access or knowledge of resource UUIDs can list and add comments (annotations) to such resources. An attacker with a user-account and access or prior knowledge of resource UUIDs may exploit this issue to read contents of the comments (annotations) or add malicious comments (annotations) to such resources. This may cause potential loss of confidentiality of CloudStack environments and resources if the comments (annotations) contain any privileged information. However, guessing or brute-forcing resource UUIDs are generally hard to impossible and access to listing or adding comments isn't same as access to CloudStack resources, making this issue of very low severity and general low impact. CloudStack admins may also disallow listAnnotations and addAnnotation API access to non-admin roles in their environment as an interim measure.
- Source
- security@apache.org
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 4.3
- Impact score
- 1.4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Severity
- MEDIUM
- security@apache.org
- CWE-200
- Hype score
- Not currently trending
CVE-2025-22828: Apache CloudStack 4.16.0 and later versions have a broken access control issue that allows users with knowledge of resource UUIDs to read or add comments (annotations) on resources they are not authorized to access. https://t.co/lj1lHKGDAF https://t.co/rS44ypP
@cyber_advising
31 Jan 2025
555 Impressions
1 Retweet
6 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-22828: Apache CloudStack: Unauthorised access to annotations https://t.co/80K2O0zrCz Attacker with a user account and access to or prior knowledge of resource UUIDs may read contents of the comments (annotations) or add malicious comments (annotations) to such resources
@oss_security
13 Jan 2025
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ensure your CloudStack Security. Read more about CVE-2025-22828: Unauthorised access to annotations. Check the Apache CloudStack security advisory here: https://t.co/SFmTDvtlmF https://t.co/WqJvnfOkeg
@CloudStack
13 Jan 2025
160 Impressions
2 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
The Apache CloudStack project has announced CVE-2025-22828 - Unauthorised access to annotations. Check ShapeBlue's advisory to understand the nature of the vulnerability and how to address it to ensure your CloudStack security: https://t.co/44dRKb6NzK https://t.co/hnivISgmDn
@shapeblue
13 Jan 2025
40 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-22828 CloudStack users can add and read comments (annotations) on resources they are authorised to access. Due to an access validation issue that affects Apache CloudStac… https://t.co/q1q67g1zyH
@CVEnew
13 Jan 2025
372 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes