389 matches found
CVE-2024-42062 Apache CloudStack: User Key Exposure to Domain Admins
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that...
CVE-2024-42062
CVE-2024-42062 (Apache CloudStack) : A permission validation flaw in CloudStack 4.10.0–4.19.1.0 lets domain-admins query all account-user API/secret keys, including those of root admins. An attacker with domain-admin access can leverage this to gain root-admin and other privileges, potentially co...
CVE-2024-42062 Apache CloudStack: User Key Exposure to Domain Admins
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that...
CVE-2024-42222 Apache CloudStack: Unauthorised Network List Access
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and...
CVE-2024-42222 Apache CloudStack: Unauthorised Network List Access
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and...
CVE-2024-42222
CVE-2024-42222 affects Apache CloudStack 4.19.1.0, where a regression in the network listing API allows unauthorised listing of network details for domain admins and normal users, compromising tenant isolation and potentially exposing network configurations and data. The issue has been fixed in C...
PT-2024-29718 · Apache · Apache Cloudstack
Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions 4.10.0 through 4.19.1.0 Description: The issue is caused by an access permission validation problem that allows domain admin accounts to query all registered account-users API and secret keys, including those of the...
Exploit for Authentication Bypass by Spoofing in Apache Cloudstack
🇮🇱 BringThemHome NeverAgainIsNow 🇮🇱 We demand the...
Apache CloudStack Security Bypass Vulnerability (CNVD-2024-33812)
Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. A security bypass vulnerability exists in Apache CloudStack that stem...
The vulnerability of the Single Sign-On module for application-based SAML protocols in the Apache CloudStack software, which is used for creating, managing, and deploying infrastructure cloud services, allows a perpetrator to bypass authentication processes and gain full access to any user’s account.
The vulnerability of the Single Sign-On module for application-based SAML programs involved in creating, managing, and deploying infrastructure cloud services like Apache CloudStack relates to the bypassing of authentication processes through spoofing. Exploiting this vulnerability allows a...
CVE-2024-41107
The CloudStack SAML authentication disabled by default does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response...
CVE-2024-41107
The CloudStack SAML authentication disabled by default does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response...
CVE-2024-41107 Apache CloudStack: SAML Signature Exclusion
The CloudStack SAML authentication disabled by default does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response...
CVE-2024-41107 Apache CloudStack: SAML Signature Exclusion
The CloudStack SAML authentication disabled by default does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response...
CVE-2024-41107
CVE-2024-41107 — Apache CloudStack: SAML Signature Exclusion Root cause: CloudStack’s SAML authentication can bypass signature checks when SAML is enabled, allowing spoofed, unsigned SAML responses to authenticate as a legitimate SAML-enabled user. Impact: In affected environments, an attacker ca...
Apache CloudStack 安全漏洞
Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. A security bypass vulnerability exists in Apache CloudStack that stem...
PT-2024-5029 · Apache · Apache Cloudstack
Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions 4.5.0 through 4.18.2.1 Apache CloudStack versions 4.19.0.0 through 4.19.0.2 Description: The issue is related to the SAML authentication mechanism in Apache CloudStack, which does not enforce signature checks when...
Apache CloudStack Code Injection Vulnerability
Apache CloudStack is a suite of Infrastructure as a Service IaaS cloud computing platforms from the Apache Foundation in the United States. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack suffers from a code injection vulnerability that...
CVE-2024-39864
The CloudStack integration API service allows running its unauthenticated API server usually on port 8096 when configured and enabled via integration.api.port global setting for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is...
CVE-2024-39864
The CloudStack integration API service allows running its unauthenticated API server usually on port 8096 when configured and enabled via integration.api.port global setting for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is...