漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Apache CloudStack: User Key Exposure to Domain Admins
Vulnerability Description
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
Apache CloudStack 信息泄露漏洞
Vulnerability Description
Apache CloudStack是美国阿帕奇(Apache)基金会的一套基础架构即服务(IaaS)云计算平台。该平台主要用于部署和管理大型虚拟机网络。 Apache CloudStack 4.10.0到4.19.1.0版本存在信息泄露漏洞,该漏洞源于存在访问权限验证问题,允许域管理员账户查询环境中所有注册的账户用户的API和密钥,可能导致基础设施的完整性和机密性受到损害,数据丢失,以及拒绝服务和可用性问题。
CVSS Information
N/A
Vulnerability Type
N/A