CVE-2018-1075
MEDIUMOvirt < 4.2.3 - Insufficiently Protected Credentials
Title source: ruleDescription
ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input was logged in cleartext during the verification step. Sharing the provisioning log might inadvertently leak database passwords.
References (3)
Core 3
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1075
Vendor Advisory x_refsource_confirm
https://gerrit.ovirt.org/#/c/91653/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2071
Scores
CVSS v3
5.0
EPSS
0.0004
EPSS Percentile
12.8%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
CWE-532
Status
published
Products (1)
ovirt/ovirt
< 4.2.3
Published
Jun 12, 2018
Tracked Since
Feb 18, 2026