CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42062 – Apache CloudStack: User Key Exposure to Domain Admins
https://notcve.org/view.php?id=CVE-2024-42062
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated. • https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1 • CWE-863: Incorrect Authorization •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42222 – Apache CloudStack: Unauthorised Network List Access
https://notcve.org/view.php?id=CVE-2024-42222
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1. • https://github.com/apache/cloudstack/issues/9456 https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 72%CPEs: 2EXPL: 1CVE-2024-41107 – Apache CloudStack: SAML Signature Exclusion
https://notcve.org/view.php?id=CVE-2024-41107
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account. Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue. La autenticación SAML de CloudStack (deshabilitada de forma predeterminada) no exige la verificación de firmas. En entornos de CloudStack donde la autenticación SAML está habilitada, un atacante que inicia la autenticación de inicio de sesión único SAML de CloudStack puede omitir la autenticación SAML enviando una respuesta SAML falsificada sin firma y con un nombre de usuario conocido o adivinado y otros detalles de usuario de un usuario de CloudStack habilitado para SAML. cuenta. • https://github.com/d0rb/CVE-2024-41107 http://www.openwall.com/lists/oss-security/2024/07/19/1 http://www.openwall.com/lists/oss-security/2024/07/19/2 https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107 https://github.com/apache/cloudstack/issues/4519 https://lists.apache.org/thread/5q06g8zvmhcw6w3tjr6r5prqdw6zckg3 https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-cve-2024-41107 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38346 – Apache CloudStack: Unauthenticated cluster service port leads to remote execution
https://notcve.org/view.php?id=CVE-2024-38346
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access to the cluster service port (default 9090) on a CloudStack management server host to only its peer CloudStack management server hosts. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue. El servicio de clúster de CloudStack se ejecuta en un puerto no autenticado (9090 predeterminado) que puede usarse indebidamente para ejecutar comandos arbitrarios en hipervisores específicos y hosts de servidores de administración de CloudStack. • http://www.openwall.com/lists/oss-security/2024/07/05/1 https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1 https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1 https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39864 – Apache CloudStack: Integration API service uses dynamic port when disabled
https://notcve.org/view.php?id=CVE-2024-39864
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue. • http://www.openwall.com/lists/oss-security/2024/07/05/1 https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1 https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1 https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-665: Improper Initialization •