Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <81d1ff17-4bcb-41db-8bfc-ed9e125b166b@apache.org>
Date: Fri, 8 May 2026 14:15:43 +0200
From: "Piotr P. Karwasz" <pkarwasz@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66467: Apache CloudStack: MinIO policy remains intact on
 bucket deletion

Severity: important

Affected versions:

- Apache CloudStack 4.19.0.0 through 4.20.2.0
- Apache CloudStack 4.21.0.0 through 4.22.0.0

Description:

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack
allows users to retain access to buckets which they previously owned. If
another user creates a new bucket with the same name, the previous
owners can gain unauthorized read and write access to it by using the
previously generated access and secret keys.

Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0
or 4.22.0.1, or later, which fixes this issue.

Credit:

Roman Kozello <roman.kozello@...il.com> (reporter)

References:

https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm
https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66467

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.