VYPR

Ovirt Engine

by Red Hat

CVEs (16)

  • CVE-2018-1074HigApr 26, 2018
    risk 0.50cvss 7.7epss 0.01

    ovirt-engine API and administration web portal before versions 4.2.2.5, 4.1.11.2 is vulnerable to an exposure of Power Management credentials, including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management…

  • CVE-2014-7851HigOct 16, 2017
    risk 0.49cvss 7.5epss 0.01

    oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

  • CVE-2017-15113HigJul 27, 2018
    risk 0.47cvss 7.2epss 0.01

    ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or…

  • CVE-2016-3077MedJun 6, 2017
    risk 0.42cvss 6.5epss 0.01

    The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of service (process crash) for all VMs.

  • CVE-2016-3113MedAug 7, 2017
    risk 0.40cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.

  • CVE-2014-3706MedOct 18, 2017
    risk 0.38cvss 5.9epss 0.01

    ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates.

  • CVE-2018-1072MedJun 26, 2018
    risk 0.33cvss 5.0epss 0.01

    ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently…

  • CVE-2022-3193Sep 28, 2022
    risk 0.00cvss epss 0.00

    An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.

  • CVE-2020-35497Dec 21, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.

  • CVE-2019-19336Mar 19, 2020
    risk 0.00cvss epss 0.01

    A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in…

  • CVE-2013-4367Nov 1, 2019
    risk 0.00cvss epss 0.00

    ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.

  • CVE-2019-10194Jul 11, 2019
    risk 0.00cvss epss 0.00

    Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.

  • CVE-2014-0154Feb 13, 2015
    risk 0.00cvss epss 0.02

    oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

  • CVE-2014-0151Feb 13, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in oVirt Engine before 3.5.0 beta2 allows remote attackers to hijack the authentication of users for requests that perform unspecified actions via a REST API request.

  • CVE-2014-0152Sep 8, 2014
    risk 0.00cvss epss 0.02

    Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.

  • CVE-2014-0202May 30, 2014
    risk 0.00cvss epss 0.00

    The setup script in ovirt-engine-dwh, as used in the Red Hat Enterprise Virtualization Manager data warehouse (rhevm-dwh) package before 3.3.3, stores the history database password in cleartext, which allows local users to obtain sensitive information by reading an unspecified…