Information Disclosure in oVirt Engine by Red Hat
CVE-2017-15113

7.2HIGH

Key Information:

Vendor
Red Hat
Status
Ovirt-engine
Vendor
CVE Published:
27 July 2018

Summary

The oVirt Engine, specifically versions prior to 4.1.7.6, exhibits a vulnerability where passwords are logged in plain text when the log level is set to DEBUG. This situation arises from administrators having the ability to change the log level, leading to potential exposure of sensitive information if these debug logs are inadvertently shared with third parties for troubleshooting. Such exposure raises significant security concerns as it can facilitate unauthorized access to accounts and compromise the integrity of the system.

Affected Version(s)

ovirt-engine 4.1.7.6

References

https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git%3Ba=co...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/101933
vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHEA-2017:3138
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.