By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way. Users are recommended to upgrade to CloudStack version 4.18.1.1 or 4.19.0.1, which fixes this issue.
The CloudStack management server reads the x-forwarded-for header from incoming HTTP requests and records it as the actual client source address. An attacker can send any value in this header, impersonating a trusted IP address. This mechanism is classified as CWE-290 (Authentication Bypass by Spoofing) because the system does not verify the authenticity of the provided address. As a result, IP address-based access controls can be effectively bypassed.
An attacker can bypass authentication and IP address-based access control, gaining unauthorized access to the CloudStack management API. This can lead to complete takeover of cloud infrastructure, including data and resource reading, modification, and destruction.
Apache CloudStack should be updated to version 4.18.1.1 or 4.19.0.1, which eliminate the described vulnerability. As additional security, it is advisable to restrict access to the management API exclusively to trusted networks at the firewall level.
Apache CloudStack in versions prior to 4.18.1.1 and 4.19.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Cloudstack
APPApache4.19.0.04.11.0.0 – 4.18.1.1 (bez)
Related vulnerabilities
Apache CloudStack: nieautoryzowany dostęp między tenantami przez rozszerzenie Proxmox
Apache CloudStack — RCE przez niechroniony port integracyjny API
Apache CloudStack — RCE przez nieuwierzytelniony port klastra (9090)
Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found...
A buffer overflow vulnerability has been found in the baremetal component of Apache CloudStack. This applies t...