CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
History

Fri, 11 Oct 2024 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-276

Mon, 19 Aug 2024 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Mon, 19 Aug 2024 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863

Mon, 12 Aug 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cloudstack
Weaknesses CWE-276
CPEs cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache cloudstack
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Wed, 07 Aug 2024 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Wed, 07 Aug 2024 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 07 Aug 2024 07:30:00 +0000

Type Values Removed Values Added
Description CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
Title Apache CloudStack: User Key Exposure to Domain Admins
Weaknesses CWE-200
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-08-07T07:17:08.811Z

Updated: 2024-09-03T19:58:27.161Z

Reserved: 2024-07-29T11:57:03.344Z

Link: CVE-2024-42062

cve-icon Vulnrichment

Updated: 2024-08-07T08:03:17.884Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-07T08:16:12.250

Modified: 2024-10-11T13:26:48.907

Link: CVE-2024-42062

cve-icon Redhat

No data.