CVE-2024-42062

EPSS 0.11%
Published 07.08.2024 08:16:12
Last modified 21.11.2024 09:33:30
Source security@apache.org
Teams watchlist Login
Open Login

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.

Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Cloudstack Version >= 4.10.0.0 < 4.18.2.3

Apache ≫ Cloudstack Version >= 4.19.0.0 < 4.19.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.308

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3

Vendor Advisory

https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj

Mailing List

Release Notes

https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/

Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/08/06/5

https://nvd.nist.gov/vuln/detail/CVE-2024-42062

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-42062

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-42062

EUVD