MidnightBSD

Advisories for ovirt

CVE-2013-0293 HIGH

oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
ovirt node 2.6.0-1
CVE-2013-4367 MEDIUM

ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
ovirt ovirt-engine 3.2
CVE-2014-0152 MEDIUM

Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat ovirt-engine 3.2.0
ovirt ovirt *
redhat ovirt-engine 3.3.0
redhat ovirt-engine 3.3.2
redhat ovirt-engine 3.3.3
redhat ovirt-engine 3.3.5
redhat ovirt-engine 3.1.0
redhat ovirt-engine 3.4.0
redhat ovirt-engine 3.0.0
redhat ovirt-engine 3.3.4
CVE-2014-0153 MEDIUM

The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ovirt ovirt *
CVE-2014-0154 MEDIUM

oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ovirt ovirt *
CVE-2014-7851 MEDIUM

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
redhat ovirt-engine 3.4.1
ovirt ovirt 3.3.2
redhat ovirt-engine 3.3.2
redhat ovirt-engine 3.3.3
redhat ovirt-engine 3.3.1
redhat ovirt-engine 3.3
redhat ovirt-engine 3.4.3
redhat ovirt-engine 3.4.4
redhat ovirt-engine 3.4.2
ovirt ovirt 3.4.0
redhat ovirt-engine 3.3.0.1
redhat ovirt-engine 3.3.5
redhat ovirt-engine 3.2.2
redhat ovirt-engine 3.4.0
redhat ovirt-engine 3.3.4
redhat ovirt-engine 3.5.0
CVE-2014-8170 HIGH

ovirt_safe_delete_config in ovirtfunctions.py and other unspecified locations in ovirt-node 3.0.0-474-gb852fd7 as packaged in Red Hat Enterprise Virtualization 3 do not properly quote input strings, which allows remote authenticated users and physically proximate attackers to execute arbitrary commands via a ; (semicolon) in an input string.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
ovirt ovirt-node 3.0.0-474-gb852fd7
CVE-2016-6341 LOW

oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files.

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ovirt ovirt *
CVE-2017-15113 LOW

ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.

CVSS 2.0

Severity: LOW

Problem Type: CWE-212,CWE-532,

Products Affected

Vendor Product Version
redhat virtualization 4.1
ovirt ovirt *
CVE-2018-1000018 LOW

An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-532,

Products Affected

Vendor Product Version
ovirt ovirt-hosted-engine-setup *
CVE-2018-1072 MEDIUM

ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,CWE-532,

Products Affected

Vendor Product Version
redhat enterprise_virtualization_manager 4.2
ovirt ovirt *
CVE-2018-1073 MEDIUM

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,CWE-200,

Products Affected

Vendor Product Version
redhat virtualization_host 4.0
ovirt ovirt-engine *
redhat virtualization 4.0
CVE-2018-1074 MEDIUM

ovirt-engine API and administration web portal before versions 4.2.2.5, 4.1.11.2 is vulnerable to an exposure of Power Management credentials, including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management systems of hosts they control.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-522,

Products Affected

Vendor Product Version
ovirt ovirt *
redhat enterprise_virtualization 4.0
CVE-2018-1075 LOW

ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.

CVSS 2.0

Severity: LOW

Problem Type: CWE-532,CWE-522,CWE-532,

Products Affected

Vendor Product Version
ovirt ovirt *
CVE-2018-10908 HIGH

It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-770,CWE-770,

Products Affected

Vendor Product Version
ovirt vdsm *
redhat virtualization 4.0
CVE-2018-1117 MEDIUM

ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this could lead to privilege escalation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ovirt ovirt-ansible-roles *
redhat enterprise_virtualization 4.1
CVE-2019-10139 LOW

During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,CWE-311,CWE-522,

Products Affected

Vendor Product Version
ovirt cockpit-ovirt -
CVE-2019-10194 LOW

Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-532,CWE-532,

Products Affected

Vendor Product Version
ovirt ovirt *
redhat virtualization_manager 4.3
CVE-2019-19336 MEDIUM

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
ovirt ovirt-engine *
redhat virtualization 4.3
CVE-2019-3831 HIGH

A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. The systemd_run function exposed to the vdsm system user could be abused to execute arbitrary commands as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,NVD-CWE-Other,

Products Affected

Vendor Product Version
ovirt vdsm *
redhat gluster_storage 3.0
CVE-2019-3879 MEDIUM

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,CWE-862,

Products Affected

Vendor Product Version
redhat virtualization 4.2
ovirt ovirt *
CVE-2020-14333 MEDIUM

A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. This flaw allows an attacker to leverage a phishing attack, steal an unsuspecting user's cookies or other confidential information, or impersonate them within the application's context.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
secalert@redhat.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 2.8 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
ovirt ovirt-engine *
CVE-2020-35497 MEDIUM

A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
ovirt ovirt-engine *
redhat virtualization 4.0
CVE-2022-0207

A race condition was found in vdsm. Functionality to obfuscate sensitive values in log files that may lead to values being stored in clear text.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.0 3.6

Products Affected

Vendor Product Version
redhat virtualization_host 4.0
ovirt vdsm *
redhat virtualization 4.0
redhat virtualization_for_ibm_power_little_endian 4.0
CVE-2022-0435 HIGH

A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat codeready_linux_builder_eus_for_power_little_endian 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_power_little_endian 8.0
redhat virtualization_host 4.0
redhat codeready_linux_builder_for_power_little_endian_eus 8.4
fedoraproject fedora 34
netapp h300s_firmware -
redhat codeready_linux_builder_for_power_little_endian_eus 8.0
redhat enterprise_linux_for_real_time_tus 8.2
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
linux linux_kernel 5.17
netapp h700e_firmware -
redhat codeready_linux_builder 8.0
redhat codeready_linux_builder 8.4
redhat enterprise_linux 8.0
redhat virtualization 4.0
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
redhat codeready_linux_builder_eus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.2
netapp h500e_firmware -
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_for_real_time_for_nfv 8
ovirt node 4.4.10
redhat enterprise_linux_server_tus 8.2
netapp h500s_firmware -
linux linux_kernel *
redhat enterprise_linux_server_aus 8.4
netapp h300e_firmware -
redhat enterprise_linux_for_real_time_tus 8.4
redhat enterprise_linux_eus 8.4
fedoraproject fedora 35
redhat enterprise_linux_for_ibm_z_systems 8.0
netapp h410s_firmware -
netapp h700s_firmware -
CVE-2022-0847 HIGH

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-665,CWE-665,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.2
redhat enterprise_linux_server_tus 8.4
redhat enterprise_linux_for_power_little_endian 8.0
redhat virtualization_host 4.0
netapp h300s_firmware -
redhat enterprise_linux_for_real_time_tus 8.2
redhat enterprise_linux_for_ibm_z_systems_eus 8.2
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.4
redhat enterprise_linux_for_real_time_for_nfv_tus 8.4
redhat enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions 8.1
redhat enterprise_linux_for_real_time_for_nfv_tus 8.2
netapp h700e_firmware -
redhat enterprise_linux 8.0
sonicwall sma1000_firmware *
netapp h410c_firmware -
redhat enterprise_linux_eus 8.2
redhat enterprise_linux_server_update_services_for_sap_solutions 8.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.2
redhat enterprise_linux_for_power_little_endian_eus 8.4
redhat enterprise_linux_for_power_little_endian_eus 8.2
netapp h500e_firmware -
redhat enterprise_linux_server_aus 8.2
redhat enterprise_linux_for_ibm_z_systems_eus 8.4
redhat enterprise_linux_server_update_services_for_sap_solutions 8.1
redhat enterprise_linux_for_real_time 8
redhat enterprise_linux_for_real_time_for_nfv 8
redhat enterprise_linux_server_tus 8.2
netapp h500s_firmware -
linux linux_kernel *
ovirt ovirt-engine 4.4.10.2
redhat codeready_linux_builder -
redhat enterprise_linux_server_aus 8.4
netapp h300e_firmware -
redhat enterprise_linux_for_real_time_tus 8.4
redhat enterprise_linux_eus 8.4
fedoraproject fedora 35
redhat enterprise_linux_for_ibm_z_systems 8.0
netapp h410s_firmware -
netapp h700s_firmware -
siemens scalance_lpe9403_firmware *
CVE-2022-2806

It was found that the ovirt-log-collector/sosreport collects the RHV admin password unfiltered. Fixed in: sos-4.2-20.el8_6, ovirt-log-collector-4.4.7-2.el8ev

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
sos_project sos *
ovirt log_collector *
CVE-2022-3193

An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
ovirt ovirt-engine 4.3.0
CVE-2024-0822

An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
ovirt ovirt-engine -
CVE-2024-7259

A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 4.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N 0.7 3.6

Products Affected

Vendor Product Version
ovirt ovirt-engine *