cvelistv5 - cve-2025-26521

CVE-2025-26521 (GCVE-0-2025-26521)

Vulnerability from cvelistv5

Published

2025-06-10 23:08

Modified

2025-06-14 03:56

Severity ?

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Summary

When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account. CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details: Account Name kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID> First Name Kubernetes Last Name Service User Account Type 0 (Normal User) Role ID <ID_OF_SERVICE_ROLE> 2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted. 3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account. 4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data: api-url = <API_URL> # For example: <MS_URL>/client/api api-key = <SERVICE_USER_API_KEY> secret-key = <SERVICE_USER_SECRET_KEY> project-id = <PROJECT_ID> Delete the existing secret using kubectl and Kubernetes cluster config: ./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret Create a new secret using kubectl and Kubernetes cluster config: ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config Remove the temporary file: rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.

References

URL	Tags
security@apache.org	https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/	Vendor Advisory
security@apache.org	https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60	Mailing List, Vendor Advisory
security@apache.org	https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/	Broken Link

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache CloudStack	Version: 4.17.0.0 ≤ Version: 4.20.0.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-26521",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-14T03:56:16.937Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache CloudStack",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.19.3.0",
              "status": "affected",
              "version": "4.17.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.20.1.0",
              "status": "affected",
              "version": "4.20.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Wei Zhou (weizhou@apache.org)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\u003cbr\u003e\u003cbr\u003eCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.\u003ch3\u003eUpdating Existing Kubernetes Clusters in Projects\u003c/h3\u003eA \u003cb\u003eservice account\u003c/b\u003e should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:\u003ch3\u003e1. Create a New Service Account\u003c/h3\u003e\u003cdiv\u003eCreate a new account using the role \u003cb\u003e\"Project Kubernetes Service Role\"\u003c/b\u003e with the following details:\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003ekubeadmin-\u0026lt;FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eFirst Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eKubernetes\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eLast Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eService User\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Type\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e0 (Normal User)\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRole ID\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;ID_OF_SERVICE_ROLE\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/div\u003e\u003ch3\u003e2. Add the Service Account to the Project\u003c/h3\u003eAdd this account to the \u003cb\u003eproject\u003c/b\u003e where the Kubernetes cluster(s) are hosted.\u003cbr\u003e\u003ch3\u003e3. Generate API and Secret Keys\u003c/h3\u003eGenerate \u003cb\u003eAPI Key\u003c/b\u003e and \u003cb\u003eSecret Key\u003c/b\u003e for the \u003ci\u003edefault user\u003c/i\u003e of this account.\u003cbr\u003e\u003ch3\u003e4. Update the CloudStack Secret in the Kubernetes Cluster\u003c/h3\u003eCreate a temporary file `/tmp/cloud-config` with the following data:\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;api-url = \u0026lt;API_URL\u0026gt;  \u0026nbsp; \u0026nbsp;  # For example: \u0026lt;MS_URL\u0026gt;/client/api\u003cbr\u003e\u0026nbsp; api-key = \u0026lt;SERVICE_USER_API_KEY\u0026gt;\u003cbr\u003e\u0026nbsp; secret-key = \u0026lt;SERVICE_USER_SECRET_KEY\u0026gt;\u003cbr\u003e\u003c/tt\u003e\u003cdiv\u003e\u003ctt\u003e\u0026nbsp; project-id = \u0026lt;PROJECT_ID\u0026gt;\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eDelete the existing secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eCreate a new secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eRemove the temporary file:\u003cbr\u003e\u0026nbsp; \u0026nbsp; rm /tmp/cloud-config\u003ch3\u003e5. Regenerate API and Secret Keys\u003c/h3\u003eRegenerate the API and secret keys for the \u003cb\u003eoriginal user account\u003c/b\u003e that was used to create the Kubernetes cluster.\u003cbr\u003e"
            }
          ],
          "value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\n\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \"Project Kubernetes Service Role\" with the following details:\n\nAccount Name\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\nFirst Name\nKubernetes\nLast Name\nService User\nAccount Type\n0 (Normal User)\nRole ID\n\u003cID_OF_SERVICE_ROLE\u003e\n\n\n\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\n\u00a0\u00a0\u00a0api-url = \u003cAPI_URL\u003e  \u00a0 \u00a0  # For example: \u003cMS_URL\u003e/client/api\n\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\n\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\n\u00a0 project-id = \u003cPROJECT_ID\u003e\n\n\n\n\nDelete the existing secret using kubectl and Kubernetes cluster config:\n\u00a0\u00a0\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\n\n\n\n\nCreate a new secret using kubectl and Kubernetes cluster config:\n\u00a0 \u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\n\n\n\n\nRemove the temporary file:\n\u00a0 \u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T23:08:48.602Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
        },
        {
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache CloudStack: CKS cluster in project exposes user API keys",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-26521",
    "datePublished": "2025-06-10T23:08:48.602Z",
    "dateReserved": "2025-02-12T09:12:55.769Z",
    "dateUpdated": "2025-06-14T03:56:16.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-26521\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-06-10T23:15:23.840\",\"lastModified\":\"2025-07-01T19:25:25.777\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\\n\\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \\\"Project Kubernetes Service Role\\\" with the following details:\\n\\nAccount Name\\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\\nFirst Name\\nKubernetes\\nLast Name\\nService User\\nAccount Type\\n0 (Normal User)\\nRole ID\\n\u003cID_OF_SERVICE_ROLE\u003e\\n\\n\\n\\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\\n\u00a0\u00a0\u00a0api-url = \u003cAPI_URL\u003e  \u00a0 \u00a0  # For example: \u003cMS_URL\u003e/client/api\\n\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\\n\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\\n\u00a0 project-id = \u003cPROJECT_ID\u003e\\n\\n\\n\\n\\nDelete the existing secret using kubectl and Kubernetes cluster config:\\n\u00a0\u00a0\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\\n\\n\\n\\n\\nCreate a new secret using kubectl and Kubernetes cluster config:\\n\u00a0 \u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\\n\\n\\n\\n\\nRemove the temporary file:\\n\u00a0 \u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.\"},{\"lang\":\"es\",\"value\":\"Cuando una cuenta de usuario de Apache CloudStack crea un cl\u00faster de Kubernetes basado en CKS en un proyecto, la clave API y la clave secreta del usuario \\\"kubeadmin\\\" de la cuenta del autor de la llamada se utilizan para crear la configuraci\u00f3n secreta en el cl\u00faster de Kubernetes basado en CKS. Un miembro del proyecto con acceso al cl\u00faster de Kubernetes basado en CKS tambi\u00e9n puede acceder a la clave API y la clave secreta del usuario \\\"kubeadmin\\\" de la cuenta del creador del cl\u00faster. Un atacante miembro del proyecto puede aprovechar esto para suplantar la identidad y realizar acciones privilegiadas que pueden comprometer por completo la confidencialidad, integridad y disponibilidad de los recursos de la cuenta del creador. Se recomienda a los usuarios de CKS actualizar a la versi\u00f3n 4.19.3.0 o 4.20.1.0, que soluciona este problema. Actualizaci\u00f3n de cl\u00fasteres de Kubernetes existentes en proyectos. Se debe crear una cuenta de servicio para cada proyecto a fin de proporcionar acceso limitado, espec\u00edficamente para los proveedores de cl\u00fasteres de Kubernetes y el escalado autom\u00e1tico. Siga los pasos a continuaci\u00f3n para crear una nueva cuenta de servicio, actualizar el secreto dentro del cl\u00faster y regenerar las claves de API y de servicio existentes: 1. Cree una nueva cuenta de servicio. Cree una nueva cuenta con el rol \\\"Rol de servicio de Kubernetes del proyecto\\\" con la siguiente informaci\u00f3n: Nombre de la cuenta: kubeadmin- Nombre: Kubernetes Apellido: Usuario de servicio Tipo de cuenta: 0 (Usuario normal) ID de rol:  2. Agregue la cuenta de servicio al proyecto. Agregue esta cuenta al proyecto donde se alojan los cl\u00fasteres de Kubernetes. 3. Genere las claves de API y secretas. Genere la clave de API y la clave secreta para el usuario predeterminado de esta cuenta. 4. Actualice el secreto de CloudStack en el cl\u00faster de Kubernetes. Cree un archivo temporal `/tmp/cloud-config` con los siguientes datos: api-url =  # Por ejemplo: /client/api api-key =  secret-key =  project-id =  Elimine el secreto existente usando kubectl y la configuraci\u00f3n del cl\u00faster de Kubernetes: ./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret Cree un nuevo secreto usando kubectl y la configuraci\u00f3n del cl\u00faster de Kubernetes: ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config Elimine el archivo temporal: rm /tmp/cloud-config5. Regenerar API y claves secretasRegenere la API y las claves secretas para la cuenta de usuario original que se utiliz\u00f3 para crear el cl\u00faster de Kubernetes.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.17.0.0\",\"versionEndExcluding\":\"4.19.3.0\",\"matchCriteriaId\":\"E8D199C3-AC0F-4B50-B3CE-43B0B5FABC40\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20.0.0\",\"versionEndExcluding\":\"4.20.1.0\",\"matchCriteriaId\":\"67E1FECD-94E6-4B2A-A52D-47D7FC8C9B10\"}]}]}],\"references\":[{\"url\":\"https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/\",\"source\":\"security@apache.org\",\"tags\":[\"Broken Link\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-26521\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-11T13:42:07.036586Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-11T13:43:24.123Z\"}}], \"cna\": {\"title\": \"Apache CloudStack: CKS cluster in project exposes user API keys\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Wei Zhou (weizhou@apache.org)\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"critical\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache CloudStack\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.17.0.0\", \"lessThan\": \"4.19.3.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.20.0.0\", \"lessThan\": \"4.20.1.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60\", \"tags\": [\"mailing-list\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\\n\\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \\\"Project Kubernetes Service Role\\\" with the following details:\\n\\nAccount Name\\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\\nFirst Name\\nKubernetes\\nLast Name\\nService User\\nAccount Type\\n0 (Normal User)\\nRole ID\\n\u003cID_OF_SERVICE_ROLE\u003e\\n\\n\\n\\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\\n\\u00a0\\u00a0\\u00a0api-url = \u003cAPI_URL\u003e  \\u00a0 \\u00a0  # For example: \u003cMS_URL\u003e/client/api\\n\\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\\n\\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\\n\\u00a0 project-id = \u003cPROJECT_ID\u003e\\n\\n\\n\\n\\nDelete the existing secret using kubectl and Kubernetes cluster config:\\n\\u00a0\\u00a0\\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\\n\\n\\n\\n\\nCreate a new secret using kubectl and Kubernetes cluster config:\\n\\u00a0 \\u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\\n\\n\\n\\n\\nRemove the temporary file:\\n\\u00a0 \\u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\u003cbr\u003e\u003cbr\u003eCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.\u003ch3\u003eUpdating Existing Kubernetes Clusters in Projects\u003c/h3\u003eA \u003cb\u003eservice account\u003c/b\u003e should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:\u003ch3\u003e1. Create a New Service Account\u003c/h3\u003e\u003cdiv\u003eCreate a new account using the role \u003cb\u003e\\\"Project Kubernetes Service Role\\\"\u003c/b\u003e with the following details:\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003ekubeadmin-\u0026lt;FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eFirst Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eKubernetes\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eLast Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eService User\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Type\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e0 (Normal User)\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRole ID\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;ID_OF_SERVICE_ROLE\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/div\u003e\u003ch3\u003e2. Add the Service Account to the Project\u003c/h3\u003eAdd this account to the \u003cb\u003eproject\u003c/b\u003e where the Kubernetes cluster(s) are hosted.\u003cbr\u003e\u003ch3\u003e3. Generate API and Secret Keys\u003c/h3\u003eGenerate \u003cb\u003eAPI Key\u003c/b\u003e and \u003cb\u003eSecret Key\u003c/b\u003e for the \u003ci\u003edefault user\u003c/i\u003e of this account.\u003cbr\u003e\u003ch3\u003e4. Update the CloudStack Secret in the Kubernetes Cluster\u003c/h3\u003eCreate a temporary file `/tmp/cloud-config` with the following data:\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;api-url = \u0026lt;API_URL\u0026gt;  \u0026nbsp; \u0026nbsp;  # For example: \u0026lt;MS_URL\u0026gt;/client/api\u003cbr\u003e\u0026nbsp; api-key = \u0026lt;SERVICE_USER_API_KEY\u0026gt;\u003cbr\u003e\u0026nbsp; secret-key = \u0026lt;SERVICE_USER_SECRET_KEY\u0026gt;\u003cbr\u003e\u003c/tt\u003e\u003cdiv\u003e\u003ctt\u003e\u0026nbsp; project-id = \u0026lt;PROJECT_ID\u0026gt;\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eDelete the existing secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eCreate a new secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eRemove the temporary file:\u003cbr\u003e\u0026nbsp; \u0026nbsp; rm /tmp/cloud-config\u003ch3\u003e5. Regenerate API and Secret Keys\u003c/h3\u003eRegenerate the API and secret keys for the \u003cb\u003eoriginal user account\u003c/b\u003e that was used to create the Kubernetes cluster.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-06-10T23:08:48.602Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-26521\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-14T03:56:16.937Z\", \"dateReserved\": \"2025-02-12T09:12:55.769Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-06-10T23:08:48.602Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-r5jq-h47c-74h3

Vulnerability from github

Published

2025-06-11 00:30

Modified

2025-06-11 15:30

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details:

Account Name kubeadmin- First Name Kubernetes Last Name Service User Account Type 0 (Normal User) Role ID

Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.
Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.
Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file /tmp/cloud-config with the following data: api-url = # For example: /client/api api-key = secret-key = project-id =

Delete the existing secret using kubectl and Kubernetes cluster config: ./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret

Create a new secret using kubectl and Kubernetes cluster config: ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config

Remove the temporary file: rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-26521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-10T23:15:23Z",
    "severity": "HIGH"
  },
  "details": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\n\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \"Project Kubernetes Service Role\" with the following details:\n\nAccount Name\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\nFirst Name\nKubernetes\nLast Name\nService User\nAccount Type\n0 (Normal User)\nRole ID\n\u003cID_OF_SERVICE_ROLE\u003e\n\n\n\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\n\u00a0\u00a0\u00a0api-url = \u003cAPI_URL\u003e  \u00a0 \u00a0  # For example: \u003cMS_URL\u003e/client/api\n\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\n\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\n\u00a0 project-id = \u003cPROJECT_ID\u003e\n\n\n\n\nDelete the existing secret using kubectl and Kubernetes cluster config:\n\u00a0\u00a0\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\n\n\n\n\nCreate a new secret using kubectl and Kubernetes cluster config:\n\u00a0 \u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\n\n\n\n\nRemove the temporary file:\n\u00a0 \u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.",
  "id": "GHSA-r5jq-h47c-74h3",
  "modified": "2025-06-11T15:30:27Z",
  "published": "2025-06-11T00:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26521"
    },
    {
      "type": "WEB",
      "url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
    },
    {
      "type": "WEB",
      "url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

fkie_cve-2025-26521

Vulnerability from fkie_nvd

Published

2025-06-10 23:15

Modified

2025-07-01 19:25

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security@apache.org	https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/	Vendor Advisory
security@apache.org	https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60	Mailing List, Vendor Advisory
security@apache.org	https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/	Broken Link

Impacted products

	Vendor	Product	Version
	apache	cloudstack	*
	apache	cloudstack	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8D199C3-AC0F-4B50-B3CE-43B0B5FABC40",
              "versionEndExcluding": "4.19.3.0",
              "versionStartIncluding": "4.17.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "67E1FECD-94E6-4B2A-A52D-47D7FC8C9B10",
              "versionEndExcluding": "4.20.1.0",
              "versionStartIncluding": "4.20.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\n\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \"Project Kubernetes Service Role\" with the following details:\n\nAccount Name\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\nFirst Name\nKubernetes\nLast Name\nService User\nAccount Type\n0 (Normal User)\nRole ID\n\u003cID_OF_SERVICE_ROLE\u003e\n\n\n\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\n\u00a0\u00a0\u00a0api-url = \u003cAPI_URL\u003e  \u00a0 \u00a0  # For example: \u003cMS_URL\u003e/client/api\n\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\n\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\n\u00a0 project-id = \u003cPROJECT_ID\u003e\n\n\n\n\nDelete the existing secret using kubectl and Kubernetes cluster config:\n\u00a0\u00a0\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\n\n\n\n\nCreate a new secret using kubectl and Kubernetes cluster config:\n\u00a0 \u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\n\n\n\n\nRemove the temporary file:\n\u00a0 \u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster."
    },
    {
      "lang": "es",
      "value": "Cuando una cuenta de usuario de Apache CloudStack crea un cl\u00faster de Kubernetes basado en CKS en un proyecto, la clave API y la clave secreta del usuario \"kubeadmin\" de la cuenta del autor de la llamada se utilizan para crear la configuraci\u00f3n secreta en el cl\u00faster de Kubernetes basado en CKS. Un miembro del proyecto con acceso al cl\u00faster de Kubernetes basado en CKS tambi\u00e9n puede acceder a la clave API y la clave secreta del usuario \"kubeadmin\" de la cuenta del creador del cl\u00faster. Un atacante miembro del proyecto puede aprovechar esto para suplantar la identidad y realizar acciones privilegiadas que pueden comprometer por completo la confidencialidad, integridad y disponibilidad de los recursos de la cuenta del creador. Se recomienda a los usuarios de CKS actualizar a la versi\u00f3n 4.19.3.0 o 4.20.1.0, que soluciona este problema. Actualizaci\u00f3n de cl\u00fasteres de Kubernetes existentes en proyectos. Se debe crear una cuenta de servicio para cada proyecto a fin de proporcionar acceso limitado, espec\u00edficamente para los proveedores de cl\u00fasteres de Kubernetes y el escalado autom\u00e1tico. Siga los pasos a continuaci\u00f3n para crear una nueva cuenta de servicio, actualizar el secreto dentro del cl\u00faster y regenerar las claves de API y de servicio existentes: 1. Cree una nueva cuenta de servicio. Cree una nueva cuenta con el rol \"Rol de servicio de Kubernetes del proyecto\" con la siguiente informaci\u00f3n: Nombre de la cuenta: kubeadmin- Nombre: Kubernetes Apellido: Usuario de servicio Tipo de cuenta: 0 (Usuario normal) ID de rol:  2. Agregue la cuenta de servicio al proyecto. Agregue esta cuenta al proyecto donde se alojan los cl\u00fasteres de Kubernetes. 3. Genere las claves de API y secretas. Genere la clave de API y la clave secreta para el usuario predeterminado de esta cuenta. 4. Actualice el secreto de CloudStack en el cl\u00faster de Kubernetes. Cree un archivo temporal `/tmp/cloud-config` con los siguientes datos: api-url =  # Por ejemplo: /client/api api-key =  secret-key =  project-id =  Elimine el secreto existente usando kubectl y la configuraci\u00f3n del cl\u00faster de Kubernetes: ./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret Cree un nuevo secreto usando kubectl y la configuraci\u00f3n del cl\u00faster de Kubernetes: ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config Elimine el archivo temporal: rm /tmp/cloud-config5. Regenerar API y claves secretasRegenere la API y las claves secretas para la cuenta de usuario original que se utiliz\u00f3 para crear el cl\u00faster de Kubernetes."
    }
  ],
  "id": "CVE-2025-26521",
  "lastModified": "2025-07-01T19:25:25.777",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-10T23:15:23.840",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-26521 (GCVE-0-2025-26521)

Vulnerability from cvelistv5

ghsa-r5jq-h47c-74h3

Vulnerability from github

fkie_cve-2025-26521

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature