CVE-2017-15113 — Improper Removal of Sensitive Information Before Storage or Transfer in Ovirt

CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer CWE-532 — Log File Information Exposure6 documents5 sources

Severity

6.6MEDIUMNVD

CNA7.2

EPSS

0.3%

top 42.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt RED HAT Ovirt-engine Redhat Virtualization

Timeline

PublishedJul 27

Latest updateMay 13

Description

ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.7 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5red_hat/ovirt-engine4.1.7.6

▶NVDovirt/ovirt< 4.1.7.6

▶NVDredhat/virtualization4.1

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

ovirt-engine Logs Plaintext Passwords To File↗2022-05-13

▶

CVEList

CVE-2017-15113: ovirt-engine before version 4↗2018-07-27

▶

📋Vendor Advisories

Red Hat

ovirt-engine: DEBUG logging includes unmasked passwords↗2017-11-13

▶

💬Community

Bugzilla

CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords [fedora-all]↗2017-11-15

▶

Bugzilla

CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwords↗2017-11-13

▶