Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-42062

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.

Published

2024-08-07T08:16:12.250

Last Modified

2024-11-21T09:33:30.597

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

Weaknesses

Type: Secondary
CWE-863
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	cloudstack	< 4.18.2.3	Yes
Application	apache	cloudstack	< 4.19.1.1	Yes

References

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 Vendor Advisory ([email protected])
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj Mailing List, Release Notes ([email protected])
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/08/06/5 (af854a3a-2127-422b-91ae-364da2661108)