CVE-2025-47849
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-10

Last updated on: 2025-07-01

Assigner: Apache Software Foundation

Description
A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can get the API key and secret key of user-accounts of Admin role type in the same domain. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's role must be equal to or higher than the target user's role.Β  * API privilege comparison: the caller must possess all privileges of the user they are operating on.Β  * Two new domain-level settings (restricted to the default admin):Β   - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin".Β   - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-10
Last Modified
2025-07-01
Generated
2026-05-07
AI Q&A
2025-06-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-47849
EUVD
EUVD-2025-18066
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache cloudstack From 4.10.0.0 (inc) to 4.19.3.0 (exc)
apache cloudstack From 4.20.0.0 (inc) to 4.20.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a privilege escalation issue in Apache CloudStack versions 4.10.0.0 through 4.20.0.0. A malicious Domain Admin user in the ROOT domain can obtain the API key and secret key of Admin role user-accounts within the same domain. Because the operation is not properly restricted, the attacker can impersonate Admin users and gain access to sensitive APIs and resources, potentially compromising resource integrity, confidentiality, causing data loss, denial of service, and affecting the availability of infrastructure managed by CloudStack.


How can this vulnerability impact me? :

If exploited, this vulnerability allows a malicious Domain Admin to assume control over higher-privileged Admin user accounts. This can lead to unauthorized access to sensitive APIs and resources, resulting in compromise of resource integrity and confidentiality, data loss, denial of service, and disruption of the availability of infrastructure managed by Apache CloudStack.


What immediate steps should I take to mitigate this vulnerability?

Users are recommended to upgrade Apache CloudStack to version 4.19.3.0 or 4.20.1.0, which include fixes such as strict validation on Role Type hierarchy, API privilege comparison, and new domain-level settings to restrict operations on accounts of the same role type. These steps will prevent malicious Domain Admin users from escalating privileges by accessing API keys and secret keys of Admin role users in the same domain.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart