Bug 1908755 (CVE-2020-35497)
| Summary: | CVE-2020-35497 ovirt-engine: non-admin user is able to access other users public SSH key | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dblechte, dfediuck, eedri, mgoldboi, michal.skrivanek, nobody, sbonazzo, security-response-team, sherold, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-engine 4.4.4.7 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in ovirt-engine 4.4.3 and earlier. This flaw allows an authenticated user to read other users' personal information, including the name, email, and public SSH key. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-02 14:42:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1910219 | ||
| Bug Blocks: | 1908756 | ||
|
Description
Marian Rehak
2020-12-17 14:29:50 UTC
Acknowledgments: Name: Martin Perina Upstream fix: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=d663972f8a144b283591e46693f0aa27a9f2e859 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:0383 https://access.redhat.com/errata/RHSA-2021:0383 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35497 |