CVE-2024-42062

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions 4.10.0 through 4.19.1.0

Description The issue is caused by an access permission validation problem that allows domain admin accounts to query all registered account-users API and secret keys, including those of the root admin. This can be exploited by an attacker with domain admin access to gain root admin and other-account privileges, resulting in potential compromise of resources integrity and confidentiality, data loss, denial of service, and availability of CloudStack managed infrastructure.

Recommendations For Apache CloudStack versions 4.10.0 through 4.19.1.0, upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.