Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-42222

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.

Published

2024-08-07T08:16:12.473

Last Modified

2025-03-14T16:15:34.940

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	cloudstack	4.19.1.0	Yes

References

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 Vendor Advisory ([email protected])
https://github.com/apache/cloudstack/issues/9456 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj Mailing List, Vendor Advisory ([email protected])
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/08/06/6 (af854a3a-2127-422b-91ae-364da2661108)