Description

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.

INFO

Published Date :

2024-08-07T07:17:08.811Z

Last Modified :

2024-09-03T19:58:27.161Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-42062 vulnerability.

Vendors Products
Apache
  • Cloudstack
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-42062.

URL Resource
http://www.openwall.com/lists/oss-security/2024/08/06/5 cve-icon cve-icon
https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 cve-icon cve-icon
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj cve-icon cve-icon
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact