CVE-2019-3879 in Ovirt and Red Hat Products
Published on March 25, 2019
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2019-3879 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2019-3879
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-3879 are published in these products:
Affected Versions
unspecified ovirt-engine Version 4.3.2.1 is affected by CVE-2019-3879Exploit Probability
EPSS
0.57%
Percentile
68.23%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.