CVE-2018-1073
MEDIUMovirt-engine < 4.2.3 - User Enumeration via Web Console Login Error Messages
Title source: llmDescription
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
References (3)
Core 3
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1073
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/104189
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1525
Scores
CVSS v3
5.3
EPSS
0.0191
EPSS Percentile
77.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-209
CWE-200
Status
published
Products (3)
ovirt/ovirt-engine
< 4.2.3
redhat/virtualization
4.0
redhat/virtualization_host
4.0
Published
Jun 19, 2018
Tracked Since
Feb 18, 2026