Vulnerabilities > Ovirt

DATE CVE VULNERABILITY TITLE RISK
2019-11-25 CVE-2012-5518 Improper Certificate Validation vulnerability in Ovirt Vdsm
vdsm: certificate generation upon node creation allowing vdsm to start and serve requests from anyone who has a matching key (and certificate)
network
ovirt CWE-295
4.3
2019-11-01 CVE-2013-4367 Incorrect Permission Assignment for Critical Resource vulnerability in Ovirt Ovirt-Engine 3.2
ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.
local
low complexity
ovirt linux CWE-732
4.6
2019-07-11 CVE-2019-10194 Information Exposure Through Log Files vulnerability in multiple products
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions.
local
low complexity
ovirt redhat CWE-532
5.5
2019-05-17 CVE-2019-10139 Insufficiently Protected Credentials vulnerability in Ovirt Cockpit-Ovirt
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text.
local
low complexity
ovirt CWE-522
7.8
2019-03-25 CVE-2019-3879 Missing Authorization vulnerability in multiple products
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped.
network
low complexity
ovirt redhat CWE-862
5.5
2019-03-25 CVE-2019-3831 A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8.
network
low complexity
ovirt redhat
critical
9.0
2018-08-09 CVE-2018-10908 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources.
network
ovirt redhat CWE-770
7.1
2018-07-27 CVE-2017-15113 Information Exposure Through Log Files vulnerability in multiple products
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking.
network
high complexity
ovirt redhat CWE-532
6.6
2018-06-26 CVE-2018-1072 Information Exposure Through Log Files vulnerability in multiple products
ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files.
network
low complexity
ovirt redhat CWE-532
5.0
2018-06-20 CVE-2018-1117 ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log.
network
low complexity
ovirt redhat
5.0