CVE-2024-42062

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-42062
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 Vendor Advisory
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj Mailing List Release Notes
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
History

19 Aug 2024, 14:15

Type Values Removed Values Added
CWE CWE-200 CWE-863

12 Aug 2024, 18:56

Type Values Removed Values Added
CPE cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*
CWE CWE-276
References () https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 - () https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 - Vendor Advisory
References () https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj - () https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj - Mailing List, Release Notes
References () https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ - () https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ - Third Party Advisory
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : 7.2
First Time Apache cloudstack
Apache

07 Aug 2024, 19:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8

07 Aug 2024, 15:17

Type Values Removed Values Added
Summary
  • (es) Los usuarios de cuentas de CloudStack utilizan de forma predeterminada la autenticación basada en nombre de usuario y contraseña para acceder a API y UI. Los usuarios de cuentas pueden generar y registrar API aleatorias y claves secretas y utilizarlas con fines de automatización e integraciones basadas en API. Debido a un problema de validación de permisos de acceso que afecta a las versiones 4.10.0 hasta 4.19.1.0 de Apache CloudStack, se descubrió que las cuentas de administrador de dominio pueden consultar todas las API y claves secretas de los usuarios de cuentas registrados en un entorno, incluida la de un administrador superusuario. Un atacante que tiene acceso de administrador de dominio puede aprovechar esto para obtener privilegios de administrador raíz y de otras cuentas y realizar operaciones maliciosas que pueden comprometer la integridad y confidencialidad de los recursos, la pérdida de datos, la denegación de servicio y la disponibilidad de la infraestructura administrada de CloudStack. Se recomienda a los usuarios actualizar a Apache CloudStack 4.18.2.3 o 4.19.1.1, o posterior, que soluciona este problema. Además, se deben regenerar todas las API y claves secretas del usuario de la cuenta.

07 Aug 2024, 08:16

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-07 08:16

Updated : 2024-09-03 20:35

NVD link : CVE-2024-42062

Mitre link : CVE-2024-42062

CVE.ORG link : CVE-2024-42062

JSON object : View

Products Affected

apache

  • cloudstack
CWE
CWE-863

Incorrect Authorization

CWE-276

Incorrect Default Permissions