Lucene search

[email protected]NVD:CVE-2024-42222

HistoryAug 07, 2024 - 8:16 a.m.

CVE-2024-42222

2024-08-0708:16:12

CWE-200

[email protected]

web.nvd.nist.gov

apache cloudstack

network listing api

unauthorised access

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

35.1%

JSON

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.

Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.

Affected configurations

Nvd

Node

apachecloudstackMatch4.19.1.0

VendorProductVersionCPE
apachecloudstack4.19.1.0cpe:2.3:a:apache:cloudstack:4.19.1.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	cloudstack	4.19.1.0	cpe:2.3:a:apache:cloudstack:4.19.1.0:::::::*

References

cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3

github.com/apache/cloudstack/issues/9456

lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj

www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

35.1%

JSON

Related for NVD:CVE-2024-42222

vulnrichment1 cvelist1 cve1 osv1