CVE-2018-1072

CWE-532 — Log File Information Exposure CWE-20 — Improper Input Validation9 documents5 sources

Severity

9.8CRITICAL

EPSS

0.1%

top 64.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt Ovirt [unknown] Ovirt-engine-setup Redhat Enterprise Virtualization Manager

Timeline

PublishedJun 26

Latest updateMay 13

Description

ovirt-engine before version ovirt 4.2.2 is vulnerable to an information exposure through log files. When engine-backup was run with one of the options "--provision*db", the database username and password were logged in cleartext. Sharing the provisioning log might inadvertently leak database passwords.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 1.3 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5[unknown]/ovirt-engine-setupoVirt 4.2.2

▶NVDovirt/ovirt< 4.2.2

▶NVDredhat/enterprise_virtualization_manager4.2

🔴Vulnerability Details

GHSA

GHSA-9fw7-mcq9-ghf3: ovirt-engine before version ovirt 4↗2022-05-13

▶

CVEList

CVE-2018-1072: ovirt-engine before version ovirt 4↗2018-06-26

▶

📋Vendor Advisories

Red Hat

jenkins: forced migration of user records (SECURITY-1072)↗2018-12-05

▶

Red Hat

ovirt-engine-setup: unfiltered db password in engine-backup log↗2018-06-26

▶

💬Community

Bugzilla

CVE-2018-1000863 jenkins: forced migration of user records (SECURITY-1072)↗2018-12-06

▶

Bugzilla

CVE-2018-9133 ImageMagick: excessive iteration in the DecodeLabImage and EncodeLabImage functions in coders/tiff.c↗2018-04-05

▶

Bugzilla

CVE-2018-1072 ovirt-engine-setup: unfiltered db password in engine-backup log↗2018-03-09

▶