Skip to main content

CVE-2025-47849: CWE-269 Improper Privilege Management in Apache Software Foundation Apache CloudStack

High
VulnerabilityCVE-2025-47849cvecve-2025-47849cwe-269
Published: Tue Jun 10 2025 (06/10/2025, 23:07:54 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache CloudStack

Description

A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.  * API privilege comparison: the caller must possess all privileges of the user they are operating on.  * Two new domain-level settings (restricted to the default admin):   - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".   - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.

AI-Powered Analysis

AILast updated: 07/11/2025, 05:46:13 UTC

Technical Analysis

CVE-2025-47849 is a high-severity privilege escalation vulnerability affecting Apache CloudStack versions 4.10.0.0 through 4.20.0.0. The flaw arises from improper privilege management (CWE-269) where a malicious Domain Admin user within the ROOT domain can retrieve the API key and secret key of user accounts holding the Admin role type in the same domain. This vulnerability stems from insufficient restrictions on operations that allow a Domain Admin to impersonate higher-privileged Admin users. By exploiting this, an attacker can gain unauthorized access to sensitive APIs and resources, potentially compromising the confidentiality and integrity of managed cloud infrastructure, causing data loss, denial of service, and impacting availability. The root cause is the lack of strict validation on role hierarchy and privilege comparison when performing operations on user accounts. The issue is addressed in Apache CloudStack versions 4.19.3.0 and 4.20.1.0 by enforcing that the caller's role must be equal or higher than the target user's role and requiring the caller to possess all privileges of the user they operate on. Additionally, two domain-level settings were introduced to control which role types can act on accounts of the same role type and whether operations on users within the same account are allowed. No known exploits are reported in the wild yet, but the vulnerability's high CVSS score (8.8) reflects its potential impact and ease of exploitation over the network without user interaction, requiring only low privileges (Domain Admin).

Potential Impact

For European organizations using Apache CloudStack for cloud infrastructure management, this vulnerability poses a significant risk. An attacker with Domain Admin privileges could escalate their access to Admin-level accounts, gaining control over critical cloud resources and APIs. This could lead to unauthorized data access, modification, or deletion, disrupting business operations and causing compliance violations under regulations such as GDPR. The compromise of infrastructure availability could result in downtime affecting services and customers. Given the central role of cloud management platforms in digital transformation and service delivery, exploitation could have cascading effects on dependent systems and data. Organizations in sectors with high regulatory scrutiny or critical infrastructure reliance (e.g., finance, healthcare, government) are particularly vulnerable to the confidentiality and availability impacts of this flaw.

Mitigation Recommendations

European organizations should prioritize upgrading Apache CloudStack to versions 4.19.3.0 or 4.20.1.0 or later, where the vulnerability is fixed. Beyond patching, administrators should review and tighten role assignments and domain-level settings to limit which roles can perform operations on accounts of the same role type. Specifically, restrict the 'role.types.allowed.for.operations.on.accounts.of.same.role.type' setting to the minimum necessary roles and consider disabling 'allow.operations.on.users.in.same.account' if not required. Conduct audits of Domain Admin accounts to ensure only trusted personnel have such privileges. Implement monitoring and alerting on unusual API key access or privilege escalations within CloudStack. Additionally, enforce strong authentication and access controls on the management plane to reduce the risk of initial compromise of Domain Admin accounts. Regularly review CloudStack logs for suspicious activity related to user account operations.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
apache
Date Reserved
2025-05-12T08:45:45.595Z
Cvss Version
null
State
PUBLISHED

Threat ID: 6848bbe13cd93dcca83127ae

Added to database: 6/10/2025, 11:12:33 PM

Last enriched: 7/11/2025, 5:46:13 AM

Last updated: 8/15/2025, 6:50:02 PM

Views: 20

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats