CVE-2019-3879

EPSS 0.58%
Veröffentlicht 25.03.2019 19:29:02
Zuletzt bearbeitet 21.11.2024 04:42:46
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ovirt ≫ Ovirt Version < 4.3.2.1

Redhat ≫ Virtualization Version4.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.58%	0.68

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:N/I:P/A:P
secalert@redhat.com	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

http://www.securityfocus.com/bid/107561

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHBA-2019:0802

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3879

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2019-3879

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-3879

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-3879

EUVD