Skip to main content

Ovirt Engine CVE-2018-1062

MEDIUM
Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212)
2018-03-06 secalert@redhat.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 06, 2018 - 15:29 nvd
MEDIUM 5.3

DescriptionNVD

A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM.

AnalysisAI

A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-212. A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM. Affected products include: Redhat Ovirt-Engine. Version information: before 4.1.9.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-0822 HIGH POC
7.5 Jan 25

An authentication bypass vulnerability was found in overt-engine. Rated high severity (CVSS 7.5), this vulnerability is

CVE-2014-7851 HIGH
7.5 Oct 16

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote au

CVE-2016-3113 MEDIUM
6.1 Aug 07

Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.

CVE-2014-0152 MEDIUM
6.8 Sep 08

Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack w

CVE-2014-0151 MEDIUM
6.8 Feb 13

Cross-site request forgery (CSRF) vulnerability in oVirt Engine before 3.5.0 beta2 allows remote attackers to hijack the

CVE-2016-3077 MEDIUM
6.5 Jun 06

The VersionMapper.fromKernelVersionString method in oVirt Engine allows remote authenticated users to cause a denial of

CVE-2020-35497 MEDIUM
6.5 Dec 21

A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal informat

CVE-2022-3193 MEDIUM
6.1 Sep 28

An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. Rated medium severit

CVE-2020-14333 MEDIUM
6.1 Aug 18

A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable par

CVE-2020-10775 MEDIUM
5.3 Aug 24

An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to r

CVE-2018-1073 MEDIUM
5.3 Jun 19

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and inv

CVE-2024-7259 MEDIUM
4.9 Sep 26

A flaw was found in oVirt. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack comp

Share

CVE-2018-1062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy