CVE-2024-29006

EPSS 0.07%
Veröffentlicht 04.04.2024 08:15:06
Zuletzt bearbeitet 27.03.2025 20:15:25
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrade to CloudStack version 4.18.1.1 or 4.19.0.1, which fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Cloudstack Version >= 4.11.0.0 < 4.18.1.1

Apache ≫ Cloudstack Version4.19.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.224

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://lists.apache.org/thread/82f46pv7mvh95ybto5hn8wlo6g8jhjvp

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-29006

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29006

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29006

EUVD