Lucene search

ApacheVULNRICHMENT:CVE-2024-42222

HistoryAug 07, 2024 - 7:16 a.m.

CVE-2024-42222 Apache CloudStack: Unauthorised Network List Access

2024-08-0707:16:13

CWE-200

apache

github.com

apache cloudstack

unauthorised access

network details

tenant isolation

upgrade

vulnerability

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

35.1%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.

Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache CloudStack",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "4.19.1.0"
      }
    ]
  }
]

References

cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3

github.com/apache/cloudstack/issues/9456

lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj

www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/