cve-2024-42062
Vulnerability from cvelistv5
Published
2024-08-07 07:17
Modified
2024-09-03 19:58
Severity ?
EPSS score ?
Summary
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.
Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache CloudStack |
Version: 4.10.0 ≤ 4.18.2.2 Version: 4.19.0.0 ≤ 4.19.1.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:03:17.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/06/5"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "cloudstack",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.19.1.0",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.18.2.2",
"status": "affected",
"version": "4.10.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T18:16:06.919266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:58:27.161Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.18.2.2",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.1.0",
"status": "affected",
"version": "4.19.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fabricio Duarte"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDue to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.\u0026nbsp;\u003c/span\u003eAn attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edenial of service\u003c/span\u003e\u0026nbsp;and availability of CloudStack managed infrastructure.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.\u0026nbsp;Additionally, all account-user API and secret keys should be regenerated.\u003cbr\u003e"
}
],
"value": "CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can\u00a0generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.\u00a0Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.\u00a0An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,\u00a0denial of service\u00a0and availability of CloudStack managed infrastructure.\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.\u00a0Additionally, all account-user API and secret keys should be regenerated."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T13:44:08.239Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: User Key Exposure to Domain Admins",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-42062",
"datePublished": "2024-08-07T07:17:08.811Z",
"dateReserved": "2024-07-29T11:57:03.344Z",
"dateUpdated": "2024-09-03T19:58:27.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-42062\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-08-07T08:16:12.250\",\"lastModified\":\"2024-11-21T09:33:30.597\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can\u00a0generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.\u00a0Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.\u00a0An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,\u00a0denial of service\u00a0and availability of CloudStack managed infrastructure.\\n\\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.\u00a0Additionally, all account-user API and secret keys should be regenerated.\"},{\"lang\":\"es\",\"value\":\"Los usuarios de cuentas de CloudStack utilizan de forma predeterminada la autenticaci\u00f3n basada en nombre de usuario y contrase\u00f1a para acceder a API y UI. Los usuarios de cuentas pueden generar y registrar API aleatorias y claves secretas y utilizarlas con fines de automatizaci\u00f3n e integraciones basadas en API. Debido a un problema de validaci\u00f3n de permisos de acceso que afecta a las versiones 4.10.0 hasta 4.19.1.0 de Apache CloudStack, se descubri\u00f3 que las cuentas de administrador de dominio pueden consultar todas las API y claves secretas de los usuarios de cuentas registrados en un entorno, incluida la de un administrador superusuario. Un atacante que tiene acceso de administrador de dominio puede aprovechar esto para obtener privilegios de administrador ra\u00edz y de otras cuentas y realizar operaciones maliciosas que pueden comprometer la integridad y confidencialidad de los recursos, la p\u00e9rdida de datos, la denegaci\u00f3n de servicio y la disponibilidad de la infraestructura administrada de CloudStack. Se recomienda a los usuarios actualizar a Apache CloudStack 4.18.2.3 o 4.19.1.1, o posterior, que soluciona este problema. Adem\u00e1s, se deben regenerar todas las API y claves secretas del usuario de la cuenta.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10.0.0\",\"versionEndExcluding\":\"4.18.2.3\",\"matchCriteriaId\":\"73701203-F488-4963-8CF6-B5C9577958FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.0.0\",\"versionEndExcluding\":\"4.19.1.1\",\"matchCriteriaId\":\"820D0BE9-6D2A-4EC1-A098-1A40DEB57BAA\"}]}]}],\"references\":[{\"url\":\"https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/08/06/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.