CVE-2024-42222

Aug. 7, 2024, 3:17 p.m.

None
No Score

Description

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.

Product(s) Impacted

Product Versions
Apache CloudStack
  • ['4.19.1.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3
https://github.com/apache/cloudstack/issues/9456
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/

Tags

CWE-200
security@apache.org
2024-08-07
CVE-2024-42222

Timeline

Published: Aug. 7, 2024, 8:16 a.m.
Last Modified: Aug. 7, 2024, 3:17 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.