CVE-2019-3879
HIGHovirt < 4.3.2.1 - Unauthenticated Disk Deletion via RemoveDiskCommand
Title source: llmDescription
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
References (3)
Core 3
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3879
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107561
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:0802
Scores
CVSS v3
8.1
EPSS
0.0048
EPSS Percentile
65.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (2)
ovirt/ovirt
< 4.3.2.1
redhat/virtualization
4.2
Published
Mar 25, 2019
Tracked Since
Feb 18, 2026