CVE-2024-42062

CWE-863Incorrect AuthorizationCWE-200Information ExposureCWE-276Incorrect Default Permissions3 documents3 sources
Severity
7.2HIGH
EPSS
0.2%
top 63.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CloudstackApache Software Foundation Apache Cloudstack
Timeline
PublishedAug 7

Description

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a roo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_cloudstack4.10.04.18.2.2+1
NVDapache/cloudstack4.10.0.04.18.2.3+1

🔴Vulnerability Details

2
GHSA
GHSA-wrfv-q4v6-cw3x: CloudStack account-users by default use username and password based authentication for API and UI access2024-08-07
CVEList
Apache CloudStack: User Key Exposure to Domain Admins2024-08-07
CVE-2024-42062 (HIGH CVSS 7.2) | CloudStack account-users by default | cvebase.io