CVE-2019-3879
Summary
| CVE | CVE-2019-3879 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-03-25 19:29:00 UTC |
| Updated | 2020-10-19 18:09:00 UTC |
| Description | It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests. |
Risk And Classification
Problem Types: CWE-862
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ovirt | Ovirt | All | All | All | All |
| Application | Ovirt | Ovirt | All | All | All | All |
| Operating System | Redhat | Virtualization | 4.2 | All | All | All |
| Operating System | Redhat | Virtualization | 4.2 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 1684978 – (CVE-2019-3879) CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disks | CONFIRM | bugzilla.redhat.com | Issue Tracking, Third Party Advisory |
| oVirt Engine CVE-2019-3879 Security Bypass Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.