6.5
CVE-2025-69233
- EPSS 0.43%
- Veröffentlicht 08.05.2026 12:19:30
- Zuletzt bearbeitet 09.05.2026 07:16:08
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache CloudStack: Domain/account resources limits not honored
Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Apache ≫ Cloudstack Version >= 4.0.0 < 4.20.3.0
Apache ≫ Cloudstack Version >= 4.21.0.0 < 4.22.0.1
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.43% | 0.344 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
|
| security@apache.org | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
http://www.openwall.com/lists/oss-security/2026/05/09/5