PT-2025-25171 · Apache · Apache Cloudstack
Kevin
+1
·
Published
2025-06-10
·
Updated
2025-06-11
·
CVE-2025-47849
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache CloudStack versions 4.10.0.0 through 4.20.0.0
Description
A privilege escalation issue exists where a malicious Domain Admin user in the ROOT domain can obtain the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted, allowing the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources, potentially resulting in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Recommendations
To resolve the issue, upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which includes the following fixes:
- Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.
- API privilege comparison: the caller must possess all privileges of the user they are operating on.
- Two new domain-level settings are introduced to restrict operations:
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Fix
DoS
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Cloudstack