7.2 - CVE-2024-42062

Executive Summary

Informations
Name	CVE-2024-42062	First vendor Publication	2024-08-07
Vendor	Cve	Last vendor Modification	2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score	7.2
Base Score	7.2	Environmental Score	7.2
impact SubScore	5.9	Temporal Score	7.2
Exploitabality Sub Score	1.2

Attack Vector	Network	Attack Complexity	Low
Privileges Required	High	User Interaction	None
Scope	Unchanged	Confidentiality Impact	High
Integrity Impact	High	Availability Impact	High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score	N/A	Attack Range	N/A
Cvss Impact Score	N/A	Attack Complexity	N/A
Cvss Expoit Score	N/A	Authentication	N/A
Calculate full CVSS 2.0 Vectors scores

Detail

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can� generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations.� Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin.� An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss,� denial of service� and availability of CloudStack managed infrastructure.

Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue.� Additionally, all account-user API and secret keys should be regenerated.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42062

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Cloudstack cpe:2.3:a:apache:cloudstack:4.9.0.0:::::::* cpe:2.3:a:apache:cloudstack:4.9.0:::::::* cpe:2.3:a:apache:cloudstack:4.8:::::::* cpe:2.3:a:apache:cloudstack:4.7.0:::::::* cpe:2.3:a:apache:cloudstack:4.6.2:::::::* cpe:2.3:a:apache:cloudstack:4.6.1:::::::* cpe:2.3:a:apache:cloudstack:4.6.0:::::::* cpe:2.3:a:apache:cloudstack:4.5.2:::::::* cpe:2.3:a:apache:cloudstack:4.5.1:::::::* cpe:2.3:a:apache:cloudstack:4.4.4:::::::* cpe:2.3:a:apache:cloudstack:4.4.1:::::::* cpe:2.3:a:apache:cloudstack:4.4.0:::::::* cpe:2.3:a:apache:cloudstack:4.3.1:::::::* cpe:2.3:a:apache:cloudstack:4.3.0:::::::* cpe:2.3:a:apache:cloudstack:4.19.1.0:::::::* cpe:2.3:a:apache:cloudstack:4.19.0.0:::::::* cpe:2.3:a:apache:cloudstack:4.17.0.0:::::::* cpe:2.3:a:apache:cloudstack:4.1.1:::::::* cpe:2.3:a:apache:cloudstack:4.1.0:::::::* cpe:2.3:a:apache:cloudstack:4.0.2:::::::* cpe:2.3:a:apache:cloudstack:4.0.1:::::::* cpe:2.3:a:apache:cloudstack:4.0.0:incubating:::::: cpe:2.3:a:apache:cloudstack:3.0.2:::::::* cpe:2.3:a:apache:cloudstack:3.0.1:::::::* cpe:2.3:a:apache:cloudstack:3.0.0:::::::* cpe:2.3:a:apache:cloudstack:2.2.9:::::::* cpe:2.3:a:apache:cloudstack:2.2.8:::::::* cpe:2.3:a:apache:cloudstack:2.2.7:::::::* cpe:2.3:a:apache:cloudstack:2.2.6:::::::* cpe:2.3:a:apache:cloudstack:2.2.5:::::::* cpe:2.3:a:apache:cloudstack:2.2.3:::::::* cpe:2.3:a:apache:cloudstack:2.2.2:::::::* cpe:2.3:a:apache:cloudstack:2.2.14:::::::* cpe:2.3:a:apache:cloudstack:2.2.13:::::::* cpe:2.3:a:apache:cloudstack:2.2.12:::::::* cpe:2.3:a:apache:cloudstack:2.2.11:::::::* cpe:2.3:a:apache:cloudstack:2.2.1:::::::* cpe:2.3:a:apache:cloudstack:2.2.0:::::::* cpe:2.3:a:apache:cloudstack:2.1.9:::::::* cpe:2.3:a:apache:cloudstack:2.1.8:::::::* cpe:2.3:a:apache:cloudstack:2.1.7:::::::* cpe:2.3:a:apache:cloudstack:2.1.6:::::::* cpe:2.3:a:apache:cloudstack:2.1.5:::::::* cpe:2.3:a:apache:cloudstack:2.1.4:::::::* cpe:2.3:a:apache:cloudstack:2.1.3:::::::* cpe:2.3:a:apache:cloudstack:2.1.2:::::::* cpe:2.3:a:apache:cloudstack:2.1.10:::::::* cpe:2.3:a:apache:cloudstack:2.1.1:::::::* cpe:2.3:a:apache:cloudstack:2.1.0:::::::* cpe:2.3:a:apache:cloudstack:2.0.1:::::::* cpe:2.3:a:apache:cloudstack:2.0:-:community:::::* cpe:2.3:a:apache:cloudstack:::::::: cpe:2.3:a:apache:cloudstack:-:prerelease::::::	53

Sources (Detail)

http://www.openwall.com/lists/oss-security/2024/08/06/5
https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-secur...

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2025-01-25 03:03:01	Multiple Updates
2024-11-25 09:23:14	Multiple Updates
2024-10-11 17:27:37	Multiple Updates
2024-09-04 05:27:34	Multiple Updates
2024-08-30 02:56:13	Multiple Updates
2024-08-19 21:27:32	Multiple Updates
2024-08-13 00:27:26	Multiple Updates
2024-08-07 21:27:25	Multiple Updates
2024-08-07 13:27:29	First insertion

7.2 - CVE-2024-42062

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CPE : Common Platform Enumeration

Sources (Detail)

Alert History

Global Informations

Open Standards

COMPANY

STANDARDS

RECENT POSTS

MENU