Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <de79607e-b1df-487e-a4d5-d8d23da3bda0@apache.org>
Date: Fri, 8 May 2026 14:17:44 +0200
From: "Piotr P. Karwasz" <pkarwasz@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-69233: Apache CloudStack: Domain/account resources limits
 not honored

Severity: moderate

Affected versions:

- Apache CloudStack 4.0.0 through 4.20.2.0
- Apache CloudStack 4.21.0.0 through 4.22.0.0

Description:

Due to multiple time-of-check time-of-use race conditions in the
resource count check and increment logic, as well as missing
validations, users of the platform are able to exceed the allocation
limits configured for their accounts/domains. This can be used by an
attacker to degrade the infrastructure's resources and lead to denial of
service conditions.

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0
or 4.22.0.1, or later, which fixes this issue.

Credit:

Fernando Oliveira <ferolicar82@...il.com> (reporter)
Gustavo Viana <viana.gust@...il.com> (reporter)

References:

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-69233

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.