CVE-2019-3879
In oVirt, REST API before version 4.3.2.1 allows RemoveDiskCommand to run as an internal command, skipping permission validation and enabling a low-privilege user to delete disks attached to guests. A fix exists in 4.3.2.1 and later; upgrade to that version or apply the relevant Red Hat/oVirt upd...