Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-1299
Vulnerability from csaf_certbund - Published: 2025-06-10 22:00 - Updated: 2025-06-10 22:00Summary
Apache CloudStack: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Apache CloudStack ist eine Sofwareplattform zum Verwalten großer Netzwerke von virtuellen Maschienen als eine hoch verfügbare, hoch skalierbare Infrastructure as a Service (IaaS) Cloud Computing Plattform. CloudStack wurde von Citrix entwicklet und anschließend über Apache als Open Source Software zur Verfügung gestellt.
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache CloudStack ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen und um seine Privilegien zu erweitern.
Betroffene Betriebssysteme
- Linux
- UNIX
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache CloudStack ist eine Sofwareplattform zum Verwalten gro\u00dfer Netzwerke von virtuellen Maschienen als eine hoch verf\u00fcgbare, hoch skalierbare Infrastructure as a Service (IaaS) Cloud Computing Plattform. CloudStack wurde von Citrix entwicklet und anschlie\u00dfend \u00fcber Apache als Open Source Software zur Verf\u00fcgung gestellt.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Apache CloudStack ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen und um seine Privilegien zu erweitern.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1299 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1299.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1299 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1299"
},
{
"category": "external",
"summary": "Apache CloudStack Security Advisory vom 2025-06-10",
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0"
}
],
"source_lang": "en-US",
"title": "Apache CloudStack: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-06-10T22:00:00.000+00:00",
"generator": {
"date": "2025-06-11T10:37:44.954+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-1299",
"initial_release_date": "2025-06-10T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-06-10T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.19.3.0",
"product": {
"name": "Apache CloudStack \u003c4.19.3.0",
"product_id": "T044539"
}
},
{
"category": "product_version",
"name": "4.19.3.0",
"product": {
"name": "Apache CloudStack 4.19.3.0",
"product_id": "T044539-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:cloudstack:4.19.3.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.20.1.0",
"product": {
"name": "Apache CloudStack \u003c4.20.1.0",
"product_id": "T044540"
}
},
{
"category": "product_version",
"name": "4.20.1.0",
"product": {
"name": "Apache CloudStack 4.20.1.0",
"product_id": "T044540-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:cloudstack:4.20.1.0"
}
}
}
],
"category": "product_name",
"name": "CloudStack"
}
],
"category": "vendor",
"name": "Apache"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22829",
"product_status": {
"known_affected": [
"T044539",
"T044540"
]
},
"release_date": "2025-06-10T22:00:00.000+00:00",
"title": "CVE-2025-22829"
},
{
"cve": "CVE-2025-26521",
"product_status": {
"known_affected": [
"T044539",
"T044540"
]
},
"release_date": "2025-06-10T22:00:00.000+00:00",
"title": "CVE-2025-26521"
},
{
"cve": "CVE-2025-30675",
"product_status": {
"known_affected": [
"T044539",
"T044540"
]
},
"release_date": "2025-06-10T22:00:00.000+00:00",
"title": "CVE-2025-30675"
},
{
"cve": "CVE-2025-47713",
"product_status": {
"known_affected": [
"T044539",
"T044540"
]
},
"release_date": "2025-06-10T22:00:00.000+00:00",
"title": "CVE-2025-47713"
},
{
"cve": "CVE-2025-47849",
"product_status": {
"known_affected": [
"T044539",
"T044540"
]
},
"release_date": "2025-06-10T22:00:00.000+00:00",
"title": "CVE-2025-47849"
}
]
}
CVE-2025-30675 (GCVE-0-2025-30675)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:12 – Updated: 2025-06-11 13:52
VLAI?
EPSS
Summary
In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.
A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.
This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain.
Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.
Severity ?
4.7 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.0.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Bernardo De Marco Gonçalves <bernardomg2004@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30675",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:52:11.857369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T13:52:21.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bernardo De Marco Gon\u00e7alves \u003cbernardomg2004@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eIn Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the \u0027domainid\u0027 parameter along with the \u0027filter=self\u0027 or \u0027filter=selfexecutable\u0027 values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.\u0026nbsp;\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eThis vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller\u0027s scope rather than defaulting to the ROOT domain.\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAffected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.\u003c/span\u003e\u003c/div\u003e"
}
],
"value": "In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the \u0027domainid\u0027 parameter along with the \u0027filter=self\u0027 or \u0027filter=selfexecutable\u0027 values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain.\n\nA malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details.\u00a0\n\nThis vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller\u0027s scope rather than defaulting to the ROOT domain.\n\n\n\n\nAffected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:12:23.838Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised template/ISO list access to the domain/resource admins",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30675",
"datePublished": "2025-06-10T23:12:23.838Z",
"dateReserved": "2025-03-25T07:15:12.974Z",
"dateUpdated": "2025-06-11T13:52:21.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22829 (GCVE-0-2025-22829)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:11 – Updated: 2025-06-11 13:53
VLAI?
EPSS
Summary
The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.
Quota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.20.0.0 , < 4.20.1.0
(semver)
|
Credits
Fabricio Duarte <fabricio.duarte.jr@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:53:33.346984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T13:53:45.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Fabricio Duarte \u003cfabricio.duarte.jr@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.\u003cbr\u003e\u003cbr\u003eQuota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue."
}
],
"value": "The CloudStack Quota plugin has an improper privilege management logic in version 4.20.0.0. Anyone with authenticated user-account access in CloudStack 4.20.0.0 environments, where this plugin is enabled and have access to specific APIs can enable or disable reception of quota-related emails for any account in the environment and list their configurations.\n\nQuota plugin users using CloudStack 4.20.0.0 are recommended to upgrade to CloudStack version 4.20.1.0, which fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:22:01.081Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.staged.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Unauthorised access to dedicated resources in Quota plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-22829",
"datePublished": "2025-06-10T23:11:24.828Z",
"dateReserved": "2025-01-07T23:23:17.658Z",
"dateUpdated": "2025-06-11T13:53:45.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47713 (GCVE-0-2025-47713)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:06 – Updated: 2025-06-14 03:56
VLAI?
EPSS
Summary
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:
* Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.
* API privilege comparison: the caller must possess all privileges of the user they are operating on.
* Two new domain-level settings (restricted to the default Admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Scott Schmitz <sschmitz@ussignal.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:14.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Scott Schmitz \u003csschmitz@ussignal.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s user-account role must be equal to or higher than the target user-account\u0027s role.\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on. \u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eTwo new domain-level settings (restricted to the default Admin): \u003cbr\u003e\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \u003cbr\u003e\u0026nbsp; \u0026nbsp;- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e\u003c/span\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u00a0A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u00a0could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n * Strict validation on Role Type hierarchy: the caller\u0027s user-account role must be equal to or higher than the target user-account\u0027s role.\n * API privilege comparison: the caller must possess all privileges of the user they are operating on. \n * Two new domain-level settings (restricted to the default Admin): \n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \n\u00a0 \u00a0- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:06:45.585Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Domain Admin can reset Admin password in Root Domain",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-47713",
"datePublished": "2025-06-10T23:06:45.585Z",
"dateReserved": "2025-05-07T22:41:41.858Z",
"dateUpdated": "2025-06-14T03:56:14.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47849 (GCVE-0-2025-47849)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:07 – Updated: 2025-06-14 03:56
VLAI?
EPSS
Summary
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.
Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:
* Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.
* API privilege comparison: the caller must possess all privileges of the user they are operating on.
* Two new domain-level settings (restricted to the default admin):
- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".
- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Severity ?
No CVSS data available.
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.10.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Kevin Li <kli74@apple.com>
Scott Schmitz <sschmitz@ussignal.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-47849",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:15.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.10.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Li \u003ckli74@apple.com\u003e"
},
{
"lang": "en",
"type": "finder",
"value": "Scott Schmitz \u003csschmitz@ussignal.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. \u003c/span\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eA malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\u003c/span\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003c/div\u003e\u003cdiv\u003e\u003cul\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eStrict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eAPI privilege comparison: the caller must possess all privileges of the user they are operating on.\u0026nbsp;\u003c/span\u003e\u003c/li\u003e\u003cli\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eTwo new domain-level settings (restricted to the default admin):\u0026nbsp;\u003cbr\u003e\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u0026nbsp;\u003cbr\u003e\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
}
],
"value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n\n\n * Strict validation on Role Type hierarchy: the caller\u0027s role must be equal to or higher than the target user\u0027s role.\u00a0\n * API privilege comparison: the caller must possess all privileges of the user they are operating on.\u00a0\n * Two new domain-level settings (restricted to the default admin):\u00a0\n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".\u00a0\n\u2003- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:07:54.526Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: Insecure access of user\u0027s API/Secret Keys in the same domain",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-47849",
"datePublished": "2025-06-10T23:07:54.526Z",
"dateReserved": "2025-05-12T08:45:45.595Z",
"dateUpdated": "2025-06-14T03:56:15.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26521 (GCVE-0-2025-26521)
Vulnerability from cvelistv5 – Published: 2025-06-10 23:08 – Updated: 2025-06-14 03:56
VLAI?
EPSS
Summary
When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the 'kubeadmin' user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the 'kubeadmin' user of the CKS cluster's creator's account. An attacker who's a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator's account.
CKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role "Project Kubernetes Service Role" with the following details:
Account Name
kubeadmin-<FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID>
First Name
Kubernetes
Last Name
Service User
Account Type
0 (Normal User)
Role ID
<ID_OF_SERVICE_ROLE>
2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.
3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.
4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:
api-url = <API_URL> # For example: <MS_URL>/client/api
api-key = <SERVICE_USER_API_KEY>
secret-key = <SERVICE_USER_SECRET_KEY>
project-id = <PROJECT_ID>
Delete the existing secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret
Create a new secret using kubectl and Kubernetes cluster config:
./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config
Remove the temporary file:
rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster.
Severity ?
No CVSS data available.
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache CloudStack |
Affected:
4.17.0.0 , < 4.19.3.0
(semver)
Affected: 4.20.0.0 , < 4.20.1.0 (semver) |
Credits
Wei Zhou (weizhou@apache.org)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-26521",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:16.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache CloudStack",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.19.3.0",
"status": "affected",
"version": "4.17.0.0",
"versionType": "semver"
},
{
"lessThan": "4.20.1.0",
"status": "affected",
"version": "4.20.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wei Zhou (weizhou@apache.org)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\u003cbr\u003e\u003cbr\u003eCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.\u003ch3\u003eUpdating Existing Kubernetes Clusters in Projects\u003c/h3\u003eA \u003cb\u003eservice account\u003c/b\u003e should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:\u003ch3\u003e1. Create a New Service Account\u003c/h3\u003e\u003cdiv\u003eCreate a new account using the role \u003cb\u003e\"Project Kubernetes Service Role\"\u003c/b\u003e with the following details:\u003c/div\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003ekubeadmin-\u0026lt;FIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eFirst Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eKubernetes\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eLast Name\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eService User\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eAccount Type\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e0 (Normal User)\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cb\u003eRole ID\u003c/b\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u0026lt;ID_OF_SERVICE_ROLE\u0026gt;\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003c/div\u003e\u003ch3\u003e2. Add the Service Account to the Project\u003c/h3\u003eAdd this account to the \u003cb\u003eproject\u003c/b\u003e where the Kubernetes cluster(s) are hosted.\u003cbr\u003e\u003ch3\u003e3. Generate API and Secret Keys\u003c/h3\u003eGenerate \u003cb\u003eAPI Key\u003c/b\u003e and \u003cb\u003eSecret Key\u003c/b\u003e for the \u003ci\u003edefault user\u003c/i\u003e of this account.\u003cbr\u003e\u003ch3\u003e4. Update the CloudStack Secret in the Kubernetes Cluster\u003c/h3\u003eCreate a temporary file `/tmp/cloud-config` with the following data:\u003cbr\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;api-url = \u0026lt;API_URL\u0026gt; \u0026nbsp; \u0026nbsp; # For example: \u0026lt;MS_URL\u0026gt;/client/api\u003cbr\u003e\u0026nbsp; api-key = \u0026lt;SERVICE_USER_API_KEY\u0026gt;\u003cbr\u003e\u0026nbsp; secret-key = \u0026lt;SERVICE_USER_SECRET_KEY\u0026gt;\u003cbr\u003e\u003c/tt\u003e\u003cdiv\u003e\u003ctt\u003e\u0026nbsp; project-id = \u0026lt;PROJECT_ID\u0026gt;\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eDelete the existing secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp;\u0026nbsp;\u003ctt\u003e\u0026nbsp;./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\u003c/tt\u003e\u003c/div\u003e\u003cdiv\u003e\u003ctt\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/div\u003eCreate a new secret using kubectl and Kubernetes cluster config:\u003cbr\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eRemove the temporary file:\u003cbr\u003e\u0026nbsp; \u0026nbsp; rm /tmp/cloud-config\u003ch3\u003e5. Regenerate API and Secret Keys\u003c/h3\u003eRegenerate the API and secret keys for the \u003cb\u003eoriginal user account\u003c/b\u003e that was used to create the Kubernetes cluster.\u003cbr\u003e"
}
],
"value": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret key of the \u0027kubeadmin\u0027 user of the caller account are used to create the secret config in the CKS-based Kubernetes cluster. A member of the project who can access the CKS-based Kubernetes cluster, can also access the API key and secret key of the \u0027kubeadmin\u0027 user of the CKS cluster\u0027s creator\u0027s account. An attacker who\u0027s a member of the project can exploit this to impersonate and perform privileged actions that can result in complete compromise of the confidentiality, integrity, and availability of resources owned by the creator\u0027s account.\n\nCKS users are recommended to upgrade to version 4.19.3.0 or 4.20.1.0, which fixes this issue.Updating Existing Kubernetes Clusters in ProjectsA service account should be created for each project to provide limited access specifically for Kubernetes cluster providers and autoscaling. Follow the steps below to create a new service account, update the secret inside the cluster, and regenerate existing API and service keys:1. Create a New Service AccountCreate a new account using the role \"Project Kubernetes Service Role\" with the following details:\n\nAccount Name\nkubeadmin-\u003cFIRST_EIGHT_CHARACTERS_OF_PROJECT_ID\u003e\nFirst Name\nKubernetes\nLast Name\nService User\nAccount Type\n0 (Normal User)\nRole ID\n\u003cID_OF_SERVICE_ROLE\u003e\n\n\n\n2. Add the Service Account to the ProjectAdd this account to the project where the Kubernetes cluster(s) are hosted.\n3. Generate API and Secret KeysGenerate API Key and Secret Key for the default user of this account.\n4. Update the CloudStack Secret in the Kubernetes ClusterCreate a temporary file `/tmp/cloud-config` with the following data:\n\u00a0\u00a0\u00a0api-url = \u003cAPI_URL\u003e \u00a0 \u00a0 # For example: \u003cMS_URL\u003e/client/api\n\u00a0 api-key = \u003cSERVICE_USER_API_KEY\u003e\n\u00a0 secret-key = \u003cSERVICE_USER_SECRET_KEY\u003e\n\u00a0 project-id = \u003cPROJECT_ID\u003e\n\n\n\n\nDelete the existing secret using kubectl and Kubernetes cluster config:\n\u00a0\u00a0\u00a0./kubectl --kubeconfig kube.conf -n kube-system delete secret cloudstack-secret\n\n\n\n\nCreate a new secret using kubectl and Kubernetes cluster config:\n\u00a0 \u00a0 ./kubectl --kubeconfig kube.conf -n kube-system create secret generic cloudstack-secret --from-file=/tmp/cloud-config\n\n\n\n\nRemove the temporary file:\n\u00a0 \u00a0 rm /tmp/cloud-config5. Regenerate API and Secret KeysRegenerate the API and secret keys for the original user account that was used to create the Kubernetes cluster."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T23:08:48.602Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CloudStack: CKS cluster in project exposes user API keys",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-26521",
"datePublished": "2025-06-10T23:08:48.602Z",
"dateReserved": "2025-02-12T09:12:55.769Z",
"dateUpdated": "2025-06-14T03:56:16.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…