1553529 – (CVE-2018-1074) CVE-2018-1074 ovirt-engine: API exposes power management credentials to administrators

Bug 1553529 (CVE-2018-1074) - CVE-2018-1074 ovirt-engine: API exposes power management credentials to administrators

Summary: CVE-2018-1074 ovirt-engine: API exposes power management credentials to admin...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1074
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1558800
Blocks:	1553207
TreeView+	depends on / blocked

Reported:	2018-03-09 02:03 UTC by Doran Moppert
Modified:	2021-10-21 19:57 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ovirt-engine 4.2.2.5, ovirt-engine 4.1.11.2
Doc Type:	If docs needed, set a value
Doc Text:	The ovirt-engine API and administration web portal exposed Power Management credentials including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management systems of hosts they control.
Clone Of:
Environment:
Last Closed:	2021-10-21 19:57:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description Doran Moppert 2018-03-09 02:03:01 UTC

The ovirt-engine API and administration web portal exposed Power Management credentials including cleartext passwords to Host Administrators.

Comment 2 Sandro Bonazzola 2018-04-20 15:02:16 UTC

Doran, which version is affected by this bug? Has this issue been already fixed?
This bug has no useful information for addressing the issue.
Is the issue handled in bug #1553207 ? I have no access to it.

Comment 4 Doran Moppert 2018-04-26 04:36:52 UTC

This issue was addressed in Red Hat Virtualization Manager (ovirt-engine) 4.1.11 via:

https://access.redhat.com/errata/RHBA-2018:1219

Note You need to log in before you can comment on or make changes to this bug.