Ovirt-engine

This hub aggregates every CVE we track for Ovirt-engine, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Ovirt-engine.

• CVE-2024-7259Ovirt-engine: potential exposure of cleartext provider passwords via web ui4.9Sep 26, 2024
• CVE-2024-0822Ovirt: authentication bypass7.5Jan 25, 2024
• CVE-2022-3193An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigge...6.1Sep 28, 2022
• CVE-2022-0847A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thu...KEV7.8Mar 7, 2022
• CVE-2020-35497A flaw was found in ovirt-engine 4.4.3 and earlier allowing an authenticated user to read other users' personal information, including name, email and public SSH key.6.5Dec 21, 2020
• CVE-2020-10775An Open redirect vulnerability was found in ovirt-engine versions 4.4 and earlier, where it allows remote attackers to redirect users to arbitrary web sites and attempt phishing attacks. Once the t...5.3Aug 24, 2020
• CVE-2020-14333A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earlier, where it did not filter user-controllable parameters completely, resulting in a reflected cross-site scripting attack. Thi...6.3Aug 18, 2020
• CVE-2019-19336A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This f...6.1Mar 19, 2020
• CVE-2015-1780oVirt users with MANIPULATE_STORAGE_DOMAIN permissions can attach a storage domain to any data-center6.5Nov 22, 2019
• CVE-2013-4367ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates certain files world-writeable due to an upstream kernel change which impacted how python's os.chmod() works when passed a mode of '-1'.7.8Nov 1, 2019
• CVE-2019-3879It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the ...8.1Mar 25, 2019
• CVE-2017-7510In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface.8.8Mar 25, 2019
• CVE-2017-15113ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access t...7.2Jul 27, 2018
• CVE-2018-1073The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user acco...5.3Jun 19, 2018
• CVE-2018-1075ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connec...5.0Jun 12, 2018