CVE-2024-42062

Name: CVE-2024-42062
Creator: NVD / NIST
Published: 2024-08-07T08:16:12.25+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.2/10EPSS 0.95%

Last modified Jun 17, 2026

CVE-2024-42062 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.. EPSS estimates a 0.95% chance of exploitation in the next 30 days.

Description

CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.

Metrics

CVSS 3.1

7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.95%

56.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Cloudstack	>= 4.10.0.0, < 4.18.2.3
Apache	Cloudstack	>= 4.19.0.0, < 4.19.1.1

References

https://cloudstack.apache.org/blog/security-release-advisory-4.19.1.1-4.18.2.3Vendor Advisory
https://lists.apache.org/thread/lxqtfd6407prbw3801hb4fz3ot3t8wljMailing List, Release Notes
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-3-and-4-19-1-1/Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/08/06/5

Timeline

Published: Aug 7, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-42062?

How severe is CVE-2024-42062?

CVE-2024-42062 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 0.95% probability of exploitation in the next 30 days.

How do I fix CVE-2024-42062?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-42062?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST