PT-2025-25167 · Apache · Apache Cloudstack
Wei Zhou
·
Published
2025-06-10
·
Updated
2025-06-10
·
CVE-2025-26521
CVSS v2.0
8.5
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Apache CloudStack versions prior to 4.19.3.0
Apache CloudStack versions prior to 4.20.1.0
Description
The issue allows a member of a project to access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account, potentially leading to complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account. An attacker who is a member of the project can exploit this to impersonate and perform privileged actions.
Recommendations
For versions prior to 4.19.3.0 and 4.20.1.0, upgrade to version 4.19.3.0 or 4.20.1.0 to fix the issue.
As a temporary workaround, consider creating a new service account for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling, and update the secret inside the cluster and regenerate existing API and service keys by following these steps:
- Create a new service account with the role "Project Kubernetes Service Role".
- Add the service account to the project where the Kubernetes cluster(s) are hosted.
- Generate API and secret keys for the default user of this account.
- Update the CloudStack secret in the Kubernetes cluster by creating a temporary file with the API URL, API key, secret key, and project ID, and then delete the existing secret and create a new secret using kubectl and Kubernetes cluster config.
- Regenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Cloudstack