Ovirt-engine Security Vulnerabilities and Issues — Ovirt-engine CVE List

Lucene search

RedhatOvirt-engine

19 matches found

CVE•added 2020/03/19 2:15 p.m.•137 views

CVE-2019-19336

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the u...

6.1CVSS5.7AI score0.00305EPSS

CVE•added 2020/08/24 5:15 p.m.•75 views

CVE-2020-10775

An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL is no longer visible...

5.3CVSS5.3AI score0.00223EPSS

CVE•added 2018/07/27 4:29 p.m.•67 views

CVE-2017-15113

ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubl...

7.2CVSS6.3AI score0.00344EPSS

CVE•added 2019/03/25 7:29 p.m.•60 views

CVE-2019-3879

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to d...

8.1CVSS7.9AI score0.00584EPSS

CVE•added 2019/11/22 3:15 p.m.•59 views

CVE-2015-1780

oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center

6.5CVSS6.4AI score0.00249EPSS

CVE•added 2018/06/19 12:29 p.m.•59 views

CVE-2018-1073

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.

5.3CVSS5.5AI score0.00269EPSS

CVE•added 2020/12/21 5:15 p.m.•59 views

CVE-2020-35497

A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.

6.5CVSS6.2AI score0.00317EPSS

CVE•added 2018/06/12 1:29 p.m.•58 views

CVE-2018-1075

ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Shari...

7.8CVSS7.7AI score0.00043EPSS

CVE•added 2022/10/19 6:15 p.m.•55 views

CVE-2022-2805

A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.

6.5CVSS6.1AI score0.00072EPSS

CVE•added 2014/09/08 2:55 p.m.•53 views

CVE-2014-0152

Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.

6.8CVSS6.8AI score0.00396EPSS

CVE•added 2022/09/28 7:15 p.m.•53 views

CVE-2022-3193

An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.

6.1CVSS6AI score0.00365EPSS

CVE•added 2015/02/13 3:59 p.m.•49 views

CVE-2014-0151

Cross-site request forgery (CSRF) vulnerability in oVirt Engine before 3.5.0 beta2 allows remote attackers to hijack the authentication of users for requests that perform unspecified actions via a REST API request.

6.8CVSS7.2AI score0.00126EPSS

CVE•added 2018/04/26 5:29 p.m.•48 views

CVE-2018-1074

ovirt-engine API and administration web portal before versions 4.2.2.5, 4.1.11.2 is vulnerable to an exposure of Power Management credentials, including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management systems of hosts they ...

7.7CVSS7AI score0.00263EPSS

CVE•added 2017/08/07 8:29 p.m.•46 views

CVE-2016-3113

Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.

6.1CVSS6AI score0.04029EPSS

CVE•added 2017/10/16 3:29 p.m.•45 views

CVE-2014-7851

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

7.5CVSS7.5AI score0.00388EPSS

CVE•added 2019/03/25 6:29 p.m.•41 views

CVE-2017-7510

In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface.

8.8CVSS8.7AI score0.00253EPSS

CVE•added 2018/03/06 3:29 p.m.•41 views

CVE-2018-1062

A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk a...

5.3CVSS5.1AI score0.00457EPSS

CVE•added 2017/06/06 6:29 p.m.•40 views

CVE-2016-3077

The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of service (process crash) for all VMs.

6.5CVSS6.1AI score0.0039EPSS

CVE•added 2018/03/13 1:29 a.m.•37 views

CVE-2018-1000095

oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.

4.8CVSS5AI score0.00219EPSS