{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T11:53:17.975","vulnerabilities":[{"cve":{"id":"CVE-2024-42062","sourceIdentifier":"security@apache.org","published":"2024-08-07T08:16:12.250","lastModified":"2024-11-21T09:33:30.597","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated."},{"lang":"es","value":"Los usuarios de cuentas de CloudStack utilizan de forma predeterminada la autenticación basada en nombre de usuario y contraseña para acceder a API y UI. Los usuarios de cuentas pueden generar y registrar API aleatorias y claves secretas y utilizarlas con fines de automatización e integraciones basadas en API. Debido a un problema de validación de permisos de acceso que afecta a las versiones 4.10.0 hasta 4.19.1.0 de Apache CloudStack, se descubrió que las cuentas de administrador de dominio pueden consultar todas las API y claves secretas de los usuarios de cuentas registrados en un entorno, incluida la de un administrador superusuario. Un atacante que tiene acceso de administrador de dominio puede aprovechar esto para obtener privilegios de administrador raíz y de otras cuentas y realizar operaciones maliciosas que pueden comprometer la integridad y confidencialidad de los recursos, la pérdida de datos, la denegación de servicio y la disponibilidad de la infraestructura administrada de CloudStack. Se recomienda a los usuarios actualizar a Apache CloudStack 4.18.2.3 o 4.19.1.1, o posterior, que soluciona este problema. Además, se deben regenerar todas las API y claves secretas del usuario de la cuenta."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-863"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10.0.0","versionEndExcluding":"4.18.2.3","matchCriteriaId":"73701203-F488-4963-8CF6-B5C9577958FA"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.0.0","versionEndExcluding":"4.19.1.1","matchCriteriaId":"820D0BE9-6D2A-4EC1-A098-1A40DEB57BAA"}]}]}],"references":[{"url":"https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3","source":"security@apache.org","tags":["Vendor Advisory"]},{"url":"https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj","source":"security@apache.org","tags":["Mailing List","Release Notes"]},{"url":"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/","source":"security@apache.org","tags":["Third Party Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2024/08/06/5","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}