CVE-2025-22828

CVE-2025-22828 is an access validation issue affecting Apache CloudStack versions from 4.16.0. The vulnerability enables users who have access, prior access, or knowledge of resource UUIDs to list and add comments, known as annotations, on authorized resources. Normally, CloudStack users can add and read annotations only on resources they are explicitly authorized to access, but this flaw bypasses proper validation, with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) and mapped to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

An attacker requires a valid user account along with either current access or prior knowledge of specific resource UUIDs to exploit this issue over the network. Successful exploitation allows the attacker to read the contents of existing annotations or add malicious annotations to targeted resources, potentially leading to a loss of confidentiality if those annotations contain privileged information. However, the overall impact remains low, as guessing or brute-forcing resource UUIDs is generally difficult or impossible, and access to annotations does not equate to broader access to CloudStack resources themselves.

Advisories recommend that CloudStack administrators disallow the listAnnotations and addAnnotation API access for non-admin roles as an interim mitigation measure. References include the Apache mailing list announcement at https://lists.apache.org/thread/bbsm9fdwrgfyostzojh6ghpocgdmx8rs and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2025/01/13/1.