Ovirt Engine
by Ovirt
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-7259 | 0.00 | — | 0.00 | Sep 26, 2024 | A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext. | |||
| CVE-2022-2805 | 0.00 | — | 0.00 | Oct 19, 2022 | A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss. | |||
| CVE-2022-3193 | 0.00 | — | 0.00 | Sep 28, 2022 | An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages. | |||
| CVE-2013-4367 | 0.00 | — | 0.00 | Nov 1, 2019 | ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'. | |||
| CVE-2017-7510 | 0.00 | — | 0.00 | Mar 25, 2019 | In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface. | |||
| CVE-2018-1072 | 0.00 | — | 0.00 | Jun 26, 2018 | ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords. | |||
| CVE-2018-1073 | 0.00 | — | 0.00 | Jun 19, 2018 | The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts. | |||
| CVE-2018-1075 | 0.00 | — | 0.00 | Jun 12, 2018 | ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords. | |||
| CVE-2018-1000095 | 0.00 | — | 0.00 | Mar 13, 2018 | oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3. |
- CVE-2024-7259Sep 26, 2024risk 0.00cvss —epss 0.00
A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.
- CVE-2022-2805Oct 19, 2022risk 0.00cvss —epss 0.00
A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.
- CVE-2022-3193Sep 28, 2022risk 0.00cvss —epss 0.00
An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.
- CVE-2013-4367Nov 1, 2019risk 0.00cvss —epss 0.00
ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.
- CVE-2017-7510Mar 25, 2019risk 0.00cvss —epss 0.00
In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface.
- CVE-2018-1072Jun 26, 2018risk 0.00cvss —epss 0.00
ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords.
- CVE-2018-1073Jun 19, 2018risk 0.00cvss —epss 0.00
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
- CVE-2018-1075Jun 12, 2018risk 0.00cvss —epss 0.00
ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.
- CVE-2018-1000095Mar 13, 2018risk 0.00cvss —epss 0.00
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3.