CVE-2019-3879

Name of the Vulnerable Software and Affected Versions oVirt versions prior to 4.3.2.1

Description A flaw was discovered in oVirt's REST API where the RemoveDiskCommand is triggered as an internal command, bypassing permission validation against the calling user. This allows a user with low privileges, such as Basic Operations, to delete disks attached to guests.

Recommendations For versions prior to 4.3.2.1, update to version 4.3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the RemoveDiskCommand to minimize the risk of exploitation.