CVE-2024-42222

low-risk

Published 2024-08-07

In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. Affected users are advised to upgrade to version 4.19.1.1 to address this issue. Users on older versions of CloudStack considering to upgrade, can skip 4.19.1.0 and upgrade directly to 4.19.1.1.

Do I need to act?

0.52% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Cloudstack

Affected Vendors

Apache

References (5)

Vendor Advisory https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3

Exploit https://github.com/apache/cloudstack/issues/9456

Mailing List https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wlj

Third Party Advisory https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security...

http://www.openwall.com/lists/oss-security/2024/08/06/6

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal