Back to bug 1684978
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Doran Moppert | 2019-03-04 04:09:00 UTC | CC | security-response-team | |
| Doran Moppert | 2019-03-04 04:10:04 UTC | Blocks | 1679052 | |
| Whiteboard | impact=important,reported=20190304,source=customer,cwe=CWE-862,rhev-m-4/ovirt-web-ui=affected | impact=important,reported=20190304,source=customer,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-web-ui=affected | ||
| Doran Moppert | 2019-03-04 04:13:19 UTC | CC | obockows | |
| Depends On | 1642872 | |||
| Doran Moppert | 2019-03-21 05:46:08 UTC | Whiteboard | impact=important,reported=20190304,source=customer,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-web-ui=affected | impact=important,reported=20190304,source=customer,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-web-ui=affected |
| Laura Pardo | 2019-03-21 19:28:06 UTC | Summary | EMBARGOED ovirt-web-ui: Missing permissions check allows a user with basic privileges to delete disks | EMBARGOED CVE-2019-3879 ovirt-web-ui: Missing permissions check allows a user with basic privileges to delete disks |
| Alias | CVE-2019-3879 | |||
| Doran Moppert | 2019-03-22 04:50:35 UTC | CC | gshereme | nobody, ratamir |
| Doc Text | It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests. | |||
| Summary | EMBARGOED CVE-2019-3879 ovirt-web-ui: Missing permissions check allows a user with basic privileges to delete disks | EMBARGOED CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks | ||
| Whiteboard | impact=important,reported=20190304,source=customer,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-web-ui=affected | impact=important,reported=20190304,source=customer,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-engine=affected | ||
| Doran Moppert | 2019-03-22 04:52:25 UTC | Fixed In Version | ovirt-engine 4.3.2.1 | |
| Doran Moppert | 2019-03-25 06:01:32 UTC | Group | security, qe_staff | |
| CC | Rhev-m-bugs | |||
| Summary | EMBARGOED CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks | CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks | ||
| Whiteboard | impact=important,reported=20190304,source=customer,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-engine=affected | impact=important,public=20190325,reported=20190304,source=customer,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-engine=affected | ||
| Eric Christensen | 2019-03-25 15:04:35 UTC | Doc Text | It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests. | It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (e.g. Basic Operations) could exploit this flaw to delete disks attached to guests. |
| Doran Moppert | 2019-04-03 06:35:59 UTC | Depends On | 1692380 | |
| Raz Tamir | 2019-04-14 13:41:44 UTC | CC | ratamir | |
| Lukas Svaty | 2019-04-29 07:24:18 UTC | CC | lsvaty | |
| Flags | needinfo?(dmoppert) | |||
| Sandro Bonazzola | 2019-04-29 07:30:04 UTC | Status | NEW | ON_QA |
| Doran Moppert | 2019-04-29 08:21:28 UTC | Flags | needinfo?(dmoppert) | |
| Product Security DevOps Team | 2019-09-29 15:08:55 UTC | Whiteboard | impact=important,public=20190325,reported=20190304,source=customer,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-862,rhev-m-4/ovirt-engine=affected | |
| Jeff Fearn 🐞 | 2020-04-27 01:39:16 UTC | CC | Rhev-m-bugs | |
| Red Hat Bugzilla | 2021-03-23 23:38:18 UTC | CC | dblechte | |
| Red Hat Bugzilla | 2021-12-01 03:29:50 UTC | CC | mgoldboi | |
| Doron Fediuck | 2022-03-20 07:56:59 UTC | CC | dfediuck | |
| Sandro Bonazzola | 2022-11-18 16:11:01 UTC | CC | nobody, sbonazzo | |
| Red Hat Bugzilla | 2023-07-07 08:31:15 UTC | Assignee | security-response-team | nobody |
| CC | security-response-team |
Back to bug 1684978