Severity: low
Affected versions:
- Apache CloudStack 4.18.0 before 4.20.2
- Apache CloudStack 4.21.0 before 4.22.0
Description:
In Apache CloudStack improper control of generation of code ('Code Injection')
vulnerability is found in the following APIs which are accessible only to
admins.
* quotaTariffCreate
* quotaTariffUpdate
* createSecondaryStorageSelector
* updateSecondaryStorageSelector
* updateHost
* updateStorage
This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0
before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0,
which contain the fix.
The fix introduces a new global configuration flag, js.interpretation.enabled,
allowing administrators to control the interpretation of JavaScript expressions
in these APIs, thereby mitigating the code injection risk.
Credit:
Tianyi Cheng <[email protected]> (finder)
References:
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-59302
