CVE-2018-1062Improper Removal of Sensitive Information Before Storage or Transfer in Redhat Ovirt-engine

CWE-212Improper Removal of Sensitive Information Before Storage or Transfer6 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 37.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Ovirt-engineOvirt
Timeline
PublishedMar 6
Latest updateMay 13

Description

A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

NVDredhat/ovirt-engine4.1.04.1.9
CVEListV5ovirt/ovirt4.1.x before 4.1.9

🔴Vulnerability Details

2
GHSA
GHSA-j45v-g64g-45w2: A vulnerability was discovered in oVirt 42022-05-13
CVEList
CVE-2018-1062: A vulnerability was discovered in oVirt 42018-03-06

💥Exploits & PoCs

1
Exploit-DB
Joomla! Component Google Map Landkarten 4.2.3 - SQL Injection2018-02-16

📋Vendor Advisories

1
Red Hat
ovirt-engine: When Wipe After Delete (WAD) and Enable Discard are both enabled for a VM disk, discarded data might not be wiped after the disk is removed.2018-03-06

💬Community

1
Bugzilla
CVE-2018-1062 ovirt-engine: When Wipe After Delete (WAD) and Enable Discard are both enabled for a VM disk, discarded data might not be wiped after the disk is removed.2018-02-28
CVE-2018-1062 — Redhat Ovirt-engine vulnerability | cvebase