CVE-2025-59454: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache CloudStack
In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
CVE-2025-59454: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache CloudStack
Description
In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-09-16T05:22:52.960Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69283990e4a84287b535af7c
Added to database: 11/27/2025, 11:44:16 AM
Last updated: 11/27/2025, 11:44:54 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-59890: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Eaton Eaton Galileo Software
HighCVE-2025-10476: CWE-862 Missing Authorization in emrevona WP Fastest Cache
MediumCVE-2025-59026: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Open-Xchange GmbH OX App Suite
MediumCVE-2025-59025: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Open-Xchange GmbH OX App Suite
MediumCVE-2025-30190: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Open-Xchange GmbH OX App Suite
MediumActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.