CVE-2025-66467: CWE-459 Incomplete Cleanup in Apache Software Foundation Apache CloudStack
CVE-2025-66467 is a high-severity vulnerability in Apache CloudStack where MinIO policies are not properly cleaned up when buckets are deleted. This flaw allows previous bucket owners to retain access credentials that can be used to access new buckets created with the same name by other users, leading to unauthorized read and write access. The issue affects Apache CloudStack versions 4. 19. 0. 0 through 4. 21. 0. 0. Users are advised to upgrade to versions 4.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2025-66467 in Apache CloudStack involves incomplete cleanup of MinIO policies upon bucket deletion. Specifically, when a bucket is deleted, the associated access and secret keys are not revoked or removed, allowing former owners to retain access rights. If a new bucket is created with the same name by a different user, the previous owners can exploit their retained credentials to gain unauthorized read and write access to the new bucket. This issue affects versions 4.19.0.0 and 4.21.0.0 of Apache CloudStack. The vulnerability is classified under CWE-459 (Incomplete Cleanup). The CVSS v3.1 base score is 8.0, indicating high severity, with network attack vector, high privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No known exploits in the wild have been reported. The vendor recommends upgrading to fixed versions 4.20.3.0 or 4.22.0.1 or later.
Potential Impact
Successful exploitation of this vulnerability allows previous bucket owners to retain unauthorized read and write access to buckets they no longer own if those buckets are recreated with the same name by other users. This compromises confidentiality, integrity, and availability of data stored in the affected buckets. The impact is significant given the high CVSS score and the potential for unauthorized data access and modification.
Mitigation Recommendations
Users should upgrade Apache CloudStack to version 4.20.3.0, 4.22.0.1, or later, where this vulnerability has been fixed. Since no official patch links or remediation levels are provided in the advisory, the upgrade to these specified versions is the recommended remediation. Patch status is confirmed by the vendor advisory recommending these versions. No alternative mitigations or temporary fixes are indicated.
CVE-2025-66467: CWE-459 Incomplete Cleanup in Apache Software Foundation Apache CloudStack
Description
CVE-2025-66467 is a high-severity vulnerability in Apache CloudStack where MinIO policies are not properly cleaned up when buckets are deleted. This flaw allows previous bucket owners to retain access credentials that can be used to access new buckets created with the same name by other users, leading to unauthorized read and write access. The issue affects Apache CloudStack versions 4. 19. 0. 0 through 4. 21. 0. 0. Users are advised to upgrade to versions 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2025-66467 in Apache CloudStack involves incomplete cleanup of MinIO policies upon bucket deletion. Specifically, when a bucket is deleted, the associated access and secret keys are not revoked or removed, allowing former owners to retain access rights. If a new bucket is created with the same name by a different user, the previous owners can exploit their retained credentials to gain unauthorized read and write access to the new bucket. This issue affects versions 4.19.0.0 and 4.21.0.0 of Apache CloudStack. The vulnerability is classified under CWE-459 (Incomplete Cleanup). The CVSS v3.1 base score is 8.0, indicating high severity, with network attack vector, high privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No known exploits in the wild have been reported. The vendor recommends upgrading to fixed versions 4.20.3.0 or 4.22.0.1 or later.
Potential Impact
Successful exploitation of this vulnerability allows previous bucket owners to retain unauthorized read and write access to buckets they no longer own if those buckets are recreated with the same name by other users. This compromises confidentiality, integrity, and availability of data stored in the affected buckets. The impact is significant given the high CVSS score and the potential for unauthorized data access and modification.
Mitigation Recommendations
Users should upgrade Apache CloudStack to version 4.20.3.0, 4.22.0.1, or later, where this vulnerability has been fixed. Since no official patch links or remediation levels are provided in the advisory, the upgrade to these specified versions is the recommended remediation. Patch status is confirmed by the vendor advisory recommending these versions. No alternative mitigations or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-12-02T12:29:57.723Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fddc53cbff5d8610d55687
Added to database: 5/8/2026, 12:51:31 PM
Last enriched: 5/8/2026, 1:06:34 PM
Last updated: 5/8/2026, 2:08:33 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.