CVE-2019-3879 — Missing Authorization in Ovirt

CWE-862 — Missing Authorization7 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.5%

top 34.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt Redhat Virtualization

Timeline

PublishedMar 25

Latest updateMay 13

Description

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDovirt/ovirt< 4.3.2.1

▶NVDredhat/virtualization4.2

🔴Vulnerability Details

GHSA

GHSA-9fjf-3vjh-p57c: It was discovered that in the ovirt's REST API before version 4↗2022-05-13

▶

CVEList

CVE-2019-3879: It was discovered that in the ovirt's REST API before version 4↗2019-03-25

▶

📋Vendor Advisories

Red Hat

ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks↗2019-03-25

▶

💬Community

Bugzilla

CVE-2019-3879 ovirt-engine: (downstream clone - 4.2.8) ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks [rhev-m-4.2.z]↗2019-03-25

▶

Bugzilla

CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks↗2019-03-04

▶

Bugzilla

CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks [rhev-m-4.3.0]↗2018-10-25

▶