CVE-2017-15113

HIGH

ovirt-engine <4.1.7.6 - Info Disclosure

Title source: llm

Description

ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.

References (4)

[Various Sources] https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git%3Ba=commitdiff%3Bh=f4a5d0cc772127dbfe40789e26c4633ceea07d14%3Bhp=e6e8704ac9eb115624ff66e2965877d8e63a45f4

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101933

[Third Party Advisory] https://access.redhat.com/errata/RHEA-2017:3138

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15113

Scores

CVSS v3 7.2

EPSS 0.0034

EPSS Percentile 56.9%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-212 CWE-532

Status published

Products (3)

org.ovirt.engine.sdk/ovirt-engine-sdk-java 0 - 4.1.7.6Maven

ovirt/ovirt < 4.1.7.6

redhat/virtualization 4.1

Published Jul 27, 2018

Tracked Since Feb 18, 2026