#VU12803 Information disclosure through an error message in ovirt-engine - CVE-2018-1073

Cybersecurity Help s.r.o.

Published: 2018-05-17

Vulnerability identifier: #VU12803

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-1073

CWE-ID: CWE-209

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ovirt-engine
Server applications / SCADA systems

Vendor: oVirt

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the ovirt-engine web console login form due to returning different errors for non-existent users and invalid passwords. A remote attacker can discover the names of valid user accounts.

Mitigation
Install update fro vendor's website.

Vulnerable software versions

ovirt-engine: 3.0 - 4.2.3

External links
https://bugzilla.redhat.com/show_bug.cgi?id=1553525

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for jackson-databind