CVE-2018-1073

CWE-209 CWE-200 — Information Exposure6 documents5 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 49.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt Ovirt-engine [unknown] Ovirt-engine Redhat Virtualization +1 more

Timeline

PublishedJun 19

Latest updateMay 13

Description

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDovirt/ovirt-engine< 4.2.3

▶CVEListV5[unknown]/ovirt-engineovirt-engine 4.2.3

▶NVDredhat/virtualization4.0

▶NVDredhat/virtualization_host4.0

🔴Vulnerability Details

GHSA

GHSA-9ghh-fm37-vrf7: The web console login form in ovirt-engine before version 4↗2022-05-13

▶

CVEList

CVE-2018-1073: The web console login form in ovirt-engine before version 4↗2018-06-19

▶

📋Vendor Advisories

Red Hat

ovirt-engine: account enumeration through login to web console↗2018-05-15

▶

💬Community

Bugzilla

CVE-2018-20145 mosquitto: Possible ACL bypass↗2018-12-18

▶

Bugzilla

CVE-2018-1073 ovirt-engine: account enumeration through login to web console↗2018-03-09

▶