CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.
Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
Metrics
Affected Vendors & Products
References
History
Fri, 11 Oct 2024 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-276 |
Mon, 19 Aug 2024 14:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-200 |
Mon, 19 Aug 2024 14:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-863 |
Mon, 12 Aug 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache cloudstack |
|
Weaknesses | CWE-276 | |
CPEs | cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:* | |
Vendors & Products |
Apache
Apache cloudstack |
|
Metrics |
cvssV3_1
|
cvssV3_1
|
Wed, 07 Aug 2024 20:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
Wed, 07 Aug 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Wed, 07 Aug 2024 07:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated. | |
Title | Apache CloudStack: User Key Exposure to Domain Admins | |
Weaknesses | CWE-200 | |
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-08-07T07:17:08.811Z
Updated: 2024-09-03T19:58:27.161Z
Reserved: 2024-07-29T11:57:03.344Z
Link: CVE-2024-42062
Vulnrichment
Updated: 2024-08-07T08:03:17.884Z
NVD
Status : Analyzed
Published: 2024-08-07T08:16:12.250
Modified: 2024-10-11T13:26:48.907
Link: CVE-2024-42062
Redhat
No data.