[{"vendor":"apache","product":"cloudstack","defaultStatus":"unaffected","cpes":["cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*"],"versions":[{"version":"4.19.0.0","lessThanOrEqual":"4.19.1.0","versionType":"semver","status":"affected"},{"version":"4.10.0.0","lessThanOrEqual":"4.18.2.2","versionType":"semver","status":"affected"}]}]

{"timestamp":"2024-08-07T18:16:06.919266Z","id":"CVE-2024-42062","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Apache Software Foundation","product":"Apache CloudStack","defaultStatus":"unaffected","versions":[{"version":"4.10.0","lessThanOrEqual":"4.18.2.2","versionType":"semver","status":"affected"},{"version":"4.19.0.0","lessThanOrEqual":"4.19.1.0","versionType":"semver","status":"affected"}]}]

http://www.openwall.com/lists/oss-security/2024/08/06/5

NIST CWE-863

NIST CWE-276

CISA-ADP AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA-ADP AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Apache Software Foundation CWE-863

Apache Software Foundation CWE-200

NIST AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

NIST CWE-276

OR
     *cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:* versions from (including) 4.10.0.0 up to (excluding) 4.18.2.3
     *cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:* versions from (including) 4.19.0.0 up to (excluding) 4.19.1.1

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 No Types Assigned

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 Vendor Advisory

https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj No Types Assigned

https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj Mailing List, Release Notes

https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ No Types Assigned

https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ Third Party Advisory

CISA-ADP AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.

Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.

Apache Software Foundation CWE-200

Apache Software Foundation https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 [No types assigned]

Apache Software Foundation https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj [No types assigned]

Apache Software Foundation https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ [No types assigned]