Ovirt Ovirt

Do you want an email whenever new security vulnerabilities are reported in Ovirt?

By the Year

In 2022 there have been 0 vulnerabilities in Ovirt . Ovirt did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 0 0.00
2020 0 0.00
2019 2 6.00
2018 4 7.53

It may take a day or so for new Ovirt vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ovirt Security Vulnerabilities

Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions

CVE-2019-10194 5.5 - Medium - July 11, 2019

Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.

Insertion of Sensitive Information into Log File

It was discovered that in the ovirt's REST API before version 4.3.2.1

CVE-2019-3879 6.5 - Medium - March 25, 2019

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

Permission Issues

ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files

CVE-2018-1072 9.8 - Critical - June 26, 2018

ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords.

Insertion of Sensitive Information into Log File

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords

CVE-2018-1073 5.3 - Medium - June 19, 2018

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.

Information Disclosure

ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning

CVE-2018-1075 7.8 - High - June 12, 2018

ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.

Insufficiently Protected Credentials

ovirt-engine API and administration web portal before versions 4.2.2.5

CVE-2018-1074 7.2 - High - April 26, 2018

ovirt-engine API and administration web portal before versions 4.2.2.5, 4.1.11.2 is vulnerable to an exposure of Power Management credentials, including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management systems of hosts they control.

Insufficiently Protected Credentials

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Enterprise Virtualization or by Ovirt? Click the Watch button to subscribe.

Ovirt
Vendor

Ovirt
Product

subscribe