CVE-2025-30675: 
Apache CloudStack vulnerability analysis and mitigation

Apache CloudStack disclosed a low-severity vulnerability (CVE-2025-30675) on June 10, 2025, affecting versions 4.0.0 through 4.19.2.0 and 4.0.0 through 4.20.0.0. The vulnerability exists in the access control mechanism of the listTemplates and listIsos APIs, which could allow Domain Admins or Resource Admins to gain unauthorized access to sensitive information (Wiz, CloudStack Blog).

The vulnerability stems from a flaw in access control affecting the listTemplates and listIsos APIs. Malicious Domain Admin or Resource Admin users can exploit this issue by specifically using the 'domainid' parameter in combination with 'filter=self' or 'filter=selfexecutable' values. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L (NVD).

When exploited, the vulnerability allows attackers to gain unauthorized visibility into templates and ISOs under the ROOT domain. This enables malicious administrators to enumerate and extract metadata of templates and ISOs belonging to unrelated domains, effectively violating isolation boundaries and potentially exposing sensitive or internal configuration details (CloudStack Blog).

The vulnerability has been fixed in Apache CloudStack versions 4.19.3.0 and 4.20.1.0. The patch ensures that domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain. Users are strongly recommended to upgrade to either of these versions. Additionally, users on versions older than 4.20.0.0 are specifically advised to skip version 4.20.0.0 and upgrade directly to 4.20.1.0 (CloudStack Blog).

The vulnerability was initially reported by Bernardo De Marco Gonçalves (bernardomg2004@gmail.com) and has been acknowledged by the Apache CloudStack security team. The disclosure was coordinated with the release of security patches, demonstrating a responsible vulnerability management process (CloudStack Blog).