CVE-2020-35497 — Improper Access Control in Ovirt-engine

CWE-284 — Improper Access Control CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt Ovirt-engine Redhat Virtualization

Timeline

PublishedDec 21

Latest updateMay 24

Description

A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDovirt/ovirt-engine4.4.3

▶CVEListV5ovirt/ovirt-engineovirt-engine 4.4.3 and earlier

▶NVDredhat/virtualization4.0

🔴Vulnerability Details

GHSA

GHSA-wvmj-h4cr-4hm5: A flaw was found in ovirt-engine 4↗2022-05-24

▶

CVEList

CVE-2020-35497: A flaw was found in ovirt-engine 4↗2020-12-21

▶

📋Vendor Advisories

Red Hat

ovirt-engine: non-admin user is able to access other users public SSH key↗2020-12-18

▶