EUVD-2025-209743
GHSA-8fr5-rq46-q395
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys.
Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue.
AnalysisAI
Apache CloudStack's MinIO integration fails to clean up bucket access policies when buckets are deleted, enabling previous bucket owners to retain unauthorized access via cached credentials. If another user creates a bucket with the same name, the former owner gains read/write access using their old access keys. CISA has not listed this CVE in KEV, indicating no confirmed widespread exploitation. CVSS 8.0 reflects high impact but requires authenticated access and user interaction (PR:L/UI:R), tempering immediate urgency. Patch available in CloudStack 4.20.3.0 and 4.22.0.1.
Technical ContextAI
This vulnerability stems from CWE-459 (Incomplete Cleanup) in Apache CloudStack's object storage integration with MinIO. CloudStack is an Infrastructure-as-a-Service platform managing cloud computing environments. When CloudStack provisions MinIO object storage buckets, it generates IAM-like policies granting bucket owners access keys. The affected product (CPE: apache_software_foundation:apache_cloudstack) fails to revoke these MinIO policies when buckets are deleted, leaving stale credentials active in MinIO's policy store. MinIO's bucket namespace is global within a deployment, so bucket name reuse by a different user creates a security boundary violation-the new bucket inherits the old policy mappings, granting the previous owner unintended access. The scope change (S:C) in CVSS indicates this crosses trust boundaries between CloudStack tenants.
RemediationAI
Upgrade to Apache CloudStack 4.20.3.0, 4.22.0.1, or later versions which implement proper MinIO policy cleanup on bucket deletion. The official advisory is available at https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm. If immediate patching is not feasible, implement compensating controls: (1) disable bucket creation/deletion for untrusted users via CloudStack RBAC policies-this prevents attackers from triggering the bucket deletion scenario but limits self-service object storage functionality; (2) enforce unique bucket naming conventions using UUID prefixes or organizational namespaces to prevent name collisions-this reduces attack surface but requires changes to existing workflows and may break applications expecting user-defined bucket names; (3) audit MinIO policies manually and revoke orphaned credentials matching deleted buckets-this is operationally intensive and error-prone without automation. No workaround fully mitigates the vulnerability; patching is the only complete remediation.
More from same product – last 7 days
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu
Share
External POC / Exploit Code
Leaving vuln.today