Description
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.
References (4)
Core 4
Core References
Various Sources x_refsource_confirm
https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git%3Ba=commitdiff%3Bh=f4a5d0cc772127dbfe40789e26c4633ceea07d14%3Bhp=e6e8704ac9eb115624ff66e2965877d8e63a45f4
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101933
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHEA-2017:3138
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15113
Scores
CVSS v3
7.2
EPSS
0.0116
EPSS Percentile
63.0%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-212
CWE-532
Status
published
Products (3)
org.ovirt.engine.sdk/ovirt-engine-sdk-java
0 - 4.1.7.6Maven
ovirt/ovirt
< 4.1.7.6
redhat/virtualization
4.1
Published
Jul 27, 2018
Tracked Since
Feb 18, 2026