CVE-2025-22829

low-risk

Published 2025-06-10

The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations. Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.

Do I need to act?

0.51% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Cloudstack

Affected Vendors

Apache

References (3)

Third Party Advisory https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0

Mailing List https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60

Broken Link https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal