CVE-2025-47713 - Vulnerability Details

Link	Providers
https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/
https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: * Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role. * API privilege comparison: the caller must possess all privileges of the user they are operating on. * Two new domain-level settings (restricted to the default Admin): - role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: "Admin, DomainAdmin, ResourceAdmin". - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.
Title		Apache CloudStack: Domain Admin can reset Admin password in Root Domain
Weaknesses		CWE-269
References		https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/ https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60 https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47713", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-05-07T22:41:41.858Z", "datePublished": "2025-06-10T23:06:45.585Z", "dateUpdated": "2025-06-14T03:56:14.817Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache CloudStack", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "4.19.3.0", "status": "affected", "version": "4.10.0", "versionType": "semver"}, {"lessThan": "4.20.1.0", "status": "affected", "version": "4.20.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Scott Schmitz <sschmitz@ussignal.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. </div><div>Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: <div><ul><li>Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.</li><li>API privilege comparison: the caller must possess all privileges of the user they are operating on. </li><li>Two new domain-level settings (restricted to the default Admin): \u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".    - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.</li></ul></div></div>"}], "value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u00a0A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u00a0could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n * Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.\n * API privilege comparison: the caller must possess all privileges of the user they are operating on. \n * Two new domain-level settings (restricted to the default Admin): \n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \n\u00a0 \u00a0- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."}], "metrics": [{"other": {"content": {"text": "critical"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-10T23:06:45.585Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"}, {"tags": ["third-party-advisory"], "url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"}, {"tags": ["mailing-list"], "url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache CloudStack: Domain Admin can reset Admin password in Root Domain", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-47713"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-14T03:56:14.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-47713", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-11T13:46:01.136950Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T13:46:50.423Z"}}], "cna": {"title": "Apache CloudStack: Domain Admin can reset Admin password in Root Domain", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Scott Schmitz <sschmitz@ussignal.com>"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "critical"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache CloudStack", "versions": [{"status": "affected", "version": "4.10.0", "lessThan": "4.19.3.0", "versionType": "semver"}, {"status": "affected", "version": "4.20.0.0", "lessThan": "4.20.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/", "tags": ["vendor-advisory"]}, {"url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/", "tags": ["third-party-advisory"]}, {"url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u00a0A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u00a0could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n * Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.\n * API privilege comparison: the caller must possess all privileges of the user they are operating on. \n * Two new domain-level settings (restricted to the default Admin): \n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \n\u00a0 \u00a0- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.", "supportingMedia": [{"type": "text/html", "value": "<div>A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts. A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack. </div><div>Users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following: <div><ul><li>Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.</li><li>API privilege comparison: the caller must possess all privileges of the user they are operating on. </li><li>Two new domain-level settings (restricted to the default Admin): \u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\".    - allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true.</li></ul></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-06-10T23:06:45.585Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47713", "state": "PUBLISHED", "dateUpdated": "2025-06-14T03:56:14.817Z", "dateReserved": "2025-05-07T22:41:41.858Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-06-10T23:06:45.585Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A privilege escalation vulnerability exists in Apache CloudStack versions 4.10.0.0 through 4.20.0.0 where a malicious Domain Admin user in the ROOT domain can reset the password of user-accounts of Admin role type. This operation is not appropriately restricted and allows the attacker to assume control over higher-privileged user-accounts.\u00a0A malicious Domain Admin attacker can impersonate an Admin user-account and gain access to sensitive APIs and resources that\u00a0could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of infrastructure managed by CloudStack.\n\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0, which fixes the issue with the following:\n * Strict validation on Role Type hierarchy: the caller's user-account role must be equal to or higher than the target user-account's role.\n * API privilege comparison: the caller must possess all privileges of the user they are operating on. \n * Two new domain-level settings (restricted to the default Admin): \n\u2003- role.types.allowed.for.operations.on.accounts.of.same.role.type: Defines which role types are allowed to act on users of the same role type. Default: \"Admin, DomainAdmin, ResourceAdmin\". \n\u00a0 \u00a0- allow.operations.on.users.in.same.account: Allows/disallows user operations within the same account. Default: true."}, {"lang": "es", "value": "Existe una vulnerabilidad de escalada de privilegios en Apache CloudStack, versiones 4.10.0.0 a 4.20.0.0, donde un usuario administrador de dominio malintencionado en el dominio ROOT puede restablecer la contrase\u00f1a de las cuentas de usuario con el rol de administrador. Esta operaci\u00f3n no est\u00e1 restringida adecuadamente y permite al atacante asumir el control de cuentas de usuario con privilegios m\u00e1s altos. Un atacante malintencionado de dominio puede suplantar una cuenta de usuario administrador y obtener acceso a API y recursos confidenciales, lo que podr\u00eda comprometer la integridad y confidencialidad de los recursos, la p\u00e9rdida de datos, la denegaci\u00f3n de servicio y la disponibilidad de la infraestructura administrada por CloudStack. Se recomienda a los usuarios actualizar a Apache CloudStack 4.19.3.0 o 4.20.1.0, que soluciona el problema con lo siguiente: * Validaci\u00f3n estricta en la jerarqu\u00eda de tipos de rol: el rol de la cuenta de usuario del llamante debe ser igual o superior al rol de la cuenta de usuario de destino. * Comparaci\u00f3n de privilegios de API: el usuario que realiza la llamada debe tener todos los privilegios del usuario con el que opera. * Dos nuevas configuraciones a nivel de dominio (restringidas al administrador predeterminado): - role.types.allowed.for.operations.on.accounts.of.same.role.type: Define qu\u00e9 tipos de rol pueden actuar sobre usuarios del mismo tipo. Predeterminado: \"Admin, DomainAdmin, ResourceAdmin\". - allow.operations.on.users.in.same.account: Permite o impide las operaciones de usuario dentro de la misma cuenta. Predeterminado: true."}], "id": "CVE-2025-47713", "lastModified": "2025-06-12T16:06:20.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-06-10T23:15:58.320", "references": [{"source": "security@apache.org", "url": "https://cloudstack.apache.org/blog/cve-advisories-4.19.3.0-4.20.1.0/"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/y3qnwn59t8qggtdohv7k7vw39bgb3d60"}, {"source": "security@apache.org", "url": "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-19-3-0-and-4-20-1-0/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@apache.org", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object