VYPR

Ovirt Engine

by Ovirt

Source repositories

CVEs (20)

  • CVE-2017-7510HigMar 25, 2019
    risk 0.57cvss 8.8epss 0.01

    In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface.

  • CVE-2013-4367HigNov 1, 2019
    risk 0.44cvss 7.8epss 0.00

    ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.

  • CVE-2016-6338MedApr 20, 2017
    risk 0.44cvss 6.8epss 0.01

    ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries.

  • CVE-2022-2805MedOct 19, 2022
    risk 0.42cvss 6.5epss 0.00

    A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.

  • CVE-2020-35497MedDec 21, 2020
    risk 0.42cvss 6.5epss 0.01

    A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.

  • CVE-2016-3077MedJun 6, 2017
    risk 0.42cvss 6.5epss 0.01

    The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of service (process crash) for all VMs.

  • CVE-2022-3193MedSep 28, 2022
    risk 0.40cvss 6.1epss 0.00

    An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.

  • CVE-2019-19336MedMar 19, 2020
    risk 0.40cvss 6.1epss 0.01

    A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in…

  • CVE-2016-3113MedAug 7, 2017
    risk 0.40cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.

  • CVE-2016-6310MedAug 22, 2017
    risk 0.36cvss 5.5epss 0.00

    oVirt Engine discloses the ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD in /var/log/ovirt-engine/engine.log file in RHEV before 4.0.

  • CVE-2016-6341MedApr 20, 2017
    risk 0.36cvss 5.5epss 0.00

    oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files.

  • CVE-2020-10775MedAug 24, 2020
    risk 0.35cvss 5.3epss 0.02

    An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the target has opened the malicious URL in their browser, the critical part of the URL…

  • CVE-2018-1073MedJun 19, 2018
    risk 0.35cvss 5.3epss 0.02

    The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.

  • CVE-2018-1072MedJun 26, 2018
    risk 0.33cvss 5.0epss 0.01

    ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently…

  • CVE-2018-1075MedJun 12, 2018
    risk 0.33cvss 5.0epss 0.00

    ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the…

  • CVE-2024-7259MedSep 26, 2024
    risk 0.32cvss 4.9epss 0.00

    A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.

  • CVE-2018-1000095MedMar 13, 2018
    risk 0.31cvss 4.8epss 0.01

    oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.

  • CVE-2016-5432LowOct 3, 2016
    risk 0.21cvss 3.3epss 0.00

    The ovirt-engine-provisiondb utility in Red Hat Enterprise Virtualization (RHEV) Engine 4.0 allows local users to obtain sensitive database provisioning information by reading log files.

  • CVE-2024-0822HigJan 25, 2024
    risk 0.00cvss 7.5epss 0.01

    An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.

  • CVE-2013-4181Sep 16, 2013
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the addAlert function in the RedirectServlet servlet in oVirt Engine and Red Hat Enterprise Virtualization Manager (RHEV-M), as used in Red Hat Enterprise Virtualization 3 and 3.2, allows remote attackers to inject arbitrary web script…

VYPR — Vulnerability Intelligence