It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
Upstream fix: https://gerrit.ovirt.org/#/c/98153/
(In reply to Doran Moppert from comment #2) > Upstream fix: > > https://gerrit.ovirt.org/#/c/98153/ $ git tag --contains b6840a6c6221470c31e5f4d9f718239a9d44149d ovirt-engine-4.3.2.1 ovirt-engine-4.3.3 ovirt-engine-4.3.3.1 ovirt-engine-4.3.3.2 ovirt-engine-4.3.3.3 ovirt-engine-4.3.3.4 ovirt-engine-4.3.3.5 ovirt-engine-4.3.3.6
This issue was addressed in the following erratum for Red Hat Virtualization 4.2: https://access.redhat.com/errata/RHBA-2019:0802