Understanding the Recent Access Permission Validation Vulnerability in CloudStack
CVE-2024-42062

7.2HIGH

Key Information:

Vendor
Apache
Status
Apache Cloudstack
Vendor
CVE Published:
7 August 2024

Summary

A significant access permission validation flaw has been identified in Apache CloudStack, allowing domain admin accounts to access API and secret keys generated by all registered account users, including that of root admin accounts. This vulnerability exists in Apache CloudStack versions ranging from 4.10.0 to 4.19.1.0. An attacker leveraging this weakness can escalate their privileges, potentially resulting in unauthorized access, data loss, denial of service, and threats to the overall integrity and confidentiality of the cloud-managed infrastructure. The recommended course of action is immediate upgrading to versions 4.18.2.3 or 4.19.1.1 and the regeneration of all API and secret keys.

Affected Version(s)

Apache CloudStack 4.10.0 <= 4.18.2.2

Apache CloudStack 4.19.0.0 <= 4.19.1.0

References

https://cloudstack.apache.org/blog/security-release-advis...
vendor-advisorypatch
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3o...
mailing-list
https://www.shapeblue.com/shapeblue-security-advisory-apa...
third-party-advisory

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Fabricio Duarte
.