Bug 1553529 (CVE-2018-1074) - CVE-2018-1074 ovirt-engine: API exposes power management credentials to administrators
Summary: CVE-2018-1074 ovirt-engine: API exposes power management credentials to admin...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1558800
Blocks: 1553207
TreeView+ depends on / blocked
 
Reported: 2018-03-09 02:03 UTC by Doran Moppert
Modified: 2021-10-21 19:57 UTC (History)
12 users (show)

Fixed In Version: ovirt-engine 4.2.2.5, ovirt-engine 4.1.11.2
Doc Type: If docs needed, set a value
Doc Text:
The ovirt-engine API and administration web portal exposed Power Management credentials including cleartext passwords to Host Administrators. A Host Administrator could use this flaw to gain access to the power management systems of hosts they control.
Clone Of:
Environment:
Last Closed: 2021-10-21 19:57:52 UTC


Attachments (Terms of Use)

Description Doran Moppert 2018-03-09 02:03:01 UTC
The ovirt-engine API and administration web portal exposed Power Management credentials including cleartext passwords to Host Administrators.

Comment 2 Sandro Bonazzola 2018-04-20 15:02:16 UTC
Doran, which version is affected by this bug? Has this issue been already fixed?
This bug has no useful information for addressing the issue.
Is the issue handled in bug #1553207 ? I have no access to it.

Comment 4 Doran Moppert 2018-04-26 04:36:52 UTC
This issue was addressed in Red Hat Virtualization Manager (ovirt-engine) 4.1.11 via:

https://access.redhat.com/errata/RHBA-2018:1219


Note You need to log in before you can comment on or make changes to this bug.