Vulnerabilities > Ovirt

DATE CVE VULNERABILITY TITLE RISK
2020-12-21 CVE-2020-35497 Information Exposure vulnerability in multiple products
A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.
network
low complexity
ovirt redhat CWE-200
4.0
2020-08-18 CVE-2020-14333 Cross-Site Scripting vulnerability in Ovirt Ovirt-Engine
A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack.
network
ovirt CWE-79
4.3
2020-03-19 CVE-2019-19336 Cross-Site Scripting vulnerability in multiple products
A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8.
network
ovirt redhat CWE-79
4.3
2019-12-10 CVE-2013-0293 Improper Privilege Management vulnerability in Ovirt Node 2.6.01
oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
local
low complexity
ovirt CWE-269
7.2
2019-12-02 CVE-2012-4480 Improper Privilege Management vulnerability in multiple products
mom creates world-writable pid files in /var/run
local
low complexity
ovirt fedoraproject CWE-269
4.6
2019-11-25 CVE-2012-5518 Improper Certificate Validation vulnerability in Ovirt Vdsm
vdsm: certificate generation upon node creation allowing vdsm to start and serve requests from anyone who has a matching key (and certificate)
network
ovirt CWE-295
4.3
2019-11-01 CVE-2013-4367 Incorrect Permission Assignment for Critical Resource vulnerability in Ovirt Ovirt-Engine 3.2
ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.
local
low complexity
ovirt linux CWE-732
4.6
2019-07-11 CVE-2019-10194 Information Exposure Through LOG Files vulnerability in Ovirt
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions.
local
low complexity
ovirt CWE-532
2.1
2019-05-17 CVE-2019-10139 Credentials Management vulnerability in Ovirt Cockpit-Ovirt
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text.
local
low complexity
ovirt CWE-255
2.1
2019-03-25 CVE-2019-3879 Missing Authorization vulnerability in multiple products
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped.
network
low complexity
ovirt redhat CWE-862
5.5