Ovirt Ovirt

  1. Vendors
  2. Ovirt

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Ovirt product.

RSS Feeds for Ovirt security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Ovirt products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Ovirt Sorted by Most Security Vulnerabilities since 2018

Ovirt10 vulnerabilities

Ovirt Engine7 vulnerabilities

Ovirt Vdsm3 vulnerabilities

Cockpit Ovirt1 vulnerability

Ovirt Log Collector1 vulnerability

Ovirt Node1 vulnerability

Ovirt Ansible Roles1 vulnerability

Ovirt Hosted Engine Setup1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Ovirt. Ovirt did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 2 6.20
2023 0 0.00
2022 5 6.58
2021 0 0.00
2020 3 6.23
2019 4 6.75
2018 7 7.71

It may take a day or so for new Ovirt vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ovirt Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-7259 Sep 26, 2024
oVirt: Admin can view Provider passwords via DevTools (CVE-2024-7259) A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.
Ovirt Engine
CVE-2024-0822 Jan 25, 2024
Auth Bypass: CreateUserSession flaw in overt-engine An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.
Ovirt Engine
CVE-2022-3193 Sep 28, 2022
oVirt Engine XSS via unsanitized error_description An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.
Ovirt Engine
CVE-2022-2806 Sep 01, 2022
Unfiltered AdminPwd in ovirt-log-collector 4.4.7-2.el8ev (CVE-2022-2806) It was found that the ovirt-log-collector/sosreport collects the RHV admin password unfiltered. Fixed in: sos-4.2-20.el8_6, ovirt-log-collector-4.4.7-2.el8ev
Log Collector
CVE-2022-0207 Aug 26, 2022
VDSM Race Condition: Sensitive Log Data Leak via Cleartext Obfuscation A race condition was found in vdsm. Functionality to obfuscate sensitive values in log files that may lead to values being stored in clear text.
Vdsm
CVE-2022-0435 Mar 25, 2022
A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.
Node
CVE-2022-0847 Mar 10, 2022
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Ovirt Engine
CVE-2020-35497 Dec 21, 2020
A flaw was found in ovirt-engine 4.4.3 and earlier A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.
Ovirt Engine
CVE-2020-14333 Aug 18, 2020
A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user's cookies or other confidential information, or impersonate them within the application's context.
Ovirt Engine
CVE-2019-19336 Mar 19, 2020
A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8 A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.
Ovirt Engine
CVE-2019-10194 Jul 11, 2019
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.
Ovirt
CVE-2019-10139 May 17, 2019
During HE deployment During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
Cockpit Ovirt
CVE-2019-3879 Mar 25, 2019
It was discovered that in the ovirt's REST API before version 4.3.2.1 It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
Ovirt
CVE-2019-3831 Mar 25, 2019
A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8 A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. The systemd_run function exposed to the vdsm system user could be abused to execute arbitrary commands as root.
Vdsm
CVE-2018-10908 Aug 09, 2018
It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host.
Vdsm
CVE-2018-1072 Jun 26, 2018
ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords.
Ovirt
CVE-2018-1117 Jun 20, 2018
ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this could lead to privilege escalation.
Ovirt Ansible Roles
CVE-2018-1073 Jun 19, 2018
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
Ovirt
CVE-2018-1075 Jun 12, 2018
ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.
Ovirt
CVE-2018-1074 Apr 26, 2018
ovirt-engine API and administration web portal before versions 4.2.2.5 ovirt-engine API and administration web portal before versions 4.2.2.5, 4.1.11.2 is vulnerable to an exposure of Power Management credentials, including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management systems of hosts they control.
Ovirt
CVE-2018-1000018 Jan 24, 2018
An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file. An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file.
Ovirt Hosted Engine Setup
CVE-2014-7851 Oct 16, 2017
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
Ovirt
CVE-2014-0154 Feb 13, 2015
oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
Ovirt
CVE-2014-0153 Sep 08, 2014
The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page.
Ovirt
CVE-2014-0152 Sep 08, 2014
Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.
Ovirt
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.