Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1632823e-effb-4c86-adc7-8734ffc2ea07@apache.org>
Date: Fri, 8 May 2026 14:12:59 +0200
From: "Piotr P. Karwasz" <pkarwasz@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66172: Apache CloudStack: Any user can attach a volume in
 their VMs from backups they should not have access to

Severity: important

Affected versions:

- Apache CloudStack 4.21.0.0 through 4.22.0.0

Description:

The CloudStack Backup plugin has an improper access logic in versions
4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in
CloudStack 4.21.0.0+ environments, where this plugin is enabled and have
access to specific APIs can restore a volume from any other user's
backups and attach the volume to their own VMs.

Backup plugin users using CloudStack 4.21.0.0+ are recommended to
upgrade to CloudStack version 4.22.0.1, which fixes this issue.

Credit:

Gabriel Pordeus (reporter)

References:

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66172

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.