PT-2018-10080 · Ovirt · Ovirt Engine
Pedro Sampaio
·
Published
2018-06-12
·
Updated
2023-02-13
·
CVE-2018-1075
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ovirt-engine versions up to 4.2.3
Description
The issue concerns an unfiltered password when choosing manual database provisioning. When engine-setup is run and manual database provisioning or connection to a remote database is chosen, the password input is logged in cleartext during the verification step. This could lead to inadvertent leakage of database passwords if the provisioning log is shared.
Recommendations
For ovirt-engine versions up to 4.2.3, consider restricting access to the provisioning log to minimize the risk of password leakage. As a temporary workaround, avoid sharing the provisioning log until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Insufficiently Protected Credentials
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Ovirt Engine