In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.
Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.
References
Link | Resource |
---|---|
https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 | Vendor Advisory |
https://github.com/apache/cloudstack/issues/9456 | Exploit Issue Tracking Third Party Advisory |
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj | Mailing List Vendor Advisory |
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ | Third Party Advisory |
http://www.openwall.com/lists/oss-security/2024/08/06/6 |
Configurations
History
21 Nov 2024, 09:33
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Aug 2024, 16:43
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo | |
First Time |
Apache cloudstack
Apache |
|
References | () https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3 - Vendor Advisory | |
References | () https://github.com/apache/cloudstack/issues/9456 - Exploit, Issue Tracking, Third Party Advisory | |
References | () https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj - Mailing List, Vendor Advisory | |
References | () https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/ - Third Party Advisory | |
CPE | cpe:2.3:a:apache:cloudstack:4.19.1.0:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
07 Aug 2024, 15:17
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
07 Aug 2024, 08:16
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-07 08:16
Updated : 2024-11-21 09:33
NVD link : CVE-2024-42222
Mitre link : CVE-2024-42222
CVE.ORG link : CVE-2024-42222
JSON object : View
Products Affected
apache
- cloudstack
CWE