Ovirt Engine
by Ovirt
Source repositories
CVEs (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7510 | Hig | 0.57 | 8.8 | 0.01 | Mar 25, 2019 | In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface. | ||
| CVE-2013-4367 | Hig | 0.44 | 7.8 | 0.00 | Nov 1, 2019 | ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'. | ||
| CVE-2016-6338 | Med | 0.44 | 6.8 | 0.01 | Apr 20, 2017 | ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries. | ||
| CVE-2022-2805 | Med | 0.42 | 6.5 | 0.00 | Oct 19, 2022 | A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss. | ||
| CVE-2020-35497 | Med | 0.42 | 6.5 | 0.01 | Dec 21, 2020 | A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key. | ||
| CVE-2016-3077 | Med | 0.42 | 6.5 | 0.01 | Jun 6, 2017 | The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of service (process crash) for all VMs. | ||
| CVE-2022-3193 | Med | 0.40 | 6.1 | 0.00 | Sep 28, 2022 | An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages. | ||
| CVE-2019-19336 | Med | 0.40 | 6.1 | 0.01 | Mar 19, 2020 | A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in… | ||
| CVE-2016-3113 | Med | 0.40 | 6.1 | 0.03 | Aug 7, 2017 | Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML. | ||
| CVE-2016-6310 | Med | 0.36 | 5.5 | 0.00 | Aug 22, 2017 | oVirt Engine discloses the ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD in /var/log/ovirt-engine/engine.log file in RHEV before 4.0. | ||
| CVE-2016-6341 | Med | 0.36 | 5.5 | 0.00 | Apr 20, 2017 | oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files. | ||
| CVE-2020-10775 | Med | 0.35 | 5.3 | 0.02 | Aug 24, 2020 | An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL… | ||
| CVE-2018-1073 | Med | 0.35 | 5.3 | 0.02 | Jun 19, 2018 | The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts. | ||
| CVE-2018-1072 | Med | 0.33 | 5.0 | 0.01 | Jun 26, 2018 | ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently… | ||
| CVE-2018-1075 | Med | 0.33 | 5.0 | 0.00 | Jun 12, 2018 | ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the… | ||
| CVE-2024-7259 | Med | 0.32 | 4.9 | 0.00 | Sep 26, 2024 | A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext. | ||
| CVE-2018-1000095 | Med | 0.31 | 4.8 | 0.01 | Mar 13, 2018 | oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3. | ||
| CVE-2016-5432 | Low | 0.21 | 3.3 | 0.00 | Oct 3, 2016 | The ovirt-engine-provisiondb utility in Red Hat Enterprise Virtualization (RHEV) Engine 4.0 allows local users to obtain sensitive database provisioning information by reading log files. | ||
| CVE-2024-0822 | Hig | 0.00 | 7.5 | 0.01 | Jan 25, 2024 | An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command. | ||
| CVE-2013-4181 | 0.00 | — | 0.01 | Sep 16, 2013 | Cross-site scripting (XSS) vulnerability in the addAlert function in the RedirectServlet servlet in oVirt Engine and Red Hat Enterprise Virtualization Manager (RHEV-M), as used in Red Hat Enterprise Virtualization 3 and 3.2, allows remote attackers to inject arbitrary web script… |
- risk 0.57cvss 8.8epss 0.01
In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface.
- risk 0.44cvss 7.8epss 0.00
ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.
- risk 0.44cvss 6.8epss 0.01
ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries.
- risk 0.42cvss 6.5epss 0.00
A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.
- risk 0.42cvss 6.5epss 0.01
A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.
- risk 0.42cvss 6.5epss 0.01
The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of service (process crash) for all VMs.
- risk 0.40cvss 6.1epss 0.00
An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.
- risk 0.40cvss 6.1epss 0.01
A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in…
- risk 0.40cvss 6.1epss 0.03
Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.
- risk 0.36cvss 5.5epss 0.00
oVirt Engine discloses the ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD in /var/log/ovirt-engine/engine.log file in RHEV before 4.0.
- risk 0.36cvss 5.5epss 0.00
oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files.
- risk 0.35cvss 5.3epss 0.02
An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL…
- risk 0.35cvss 5.3epss 0.02
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
- risk 0.33cvss 5.0epss 0.01
ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently…
- risk 0.33cvss 5.0epss 0.00
ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the…
- risk 0.32cvss 4.9epss 0.00
A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.
- risk 0.31cvss 4.8epss 0.01
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.
- risk 0.21cvss 3.3epss 0.00
The ovirt-engine-provisiondb utility in Red Hat Enterprise Virtualization (RHEV) Engine 4.0 allows local users to obtain sensitive database provisioning information by reading log files.
- risk 0.00cvss 7.5epss 0.01
An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.
- CVE-2013-4181Sep 16, 2013risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the addAlert function in the RedirectServlet servlet in oVirt Engine and Red Hat Enterprise Virtualization Manager (RHEV-M), as used in Red Hat Enterprise Virtualization 3 and 3.2, allows remote attackers to inject arbitrary web script…