CVE-2018-1117

Published: Jun 20, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this could lead to privilege escalation.

Affected (2)

Products: Ovirt: Ovirt Ansible Roles · Redhat: Enterprise Virtualization

1 product

Ovirt Ansible Roles

1 product

Enterprise Virtualization

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ovirt Ovirt Ansible Roles	Before 1.0.6

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Virtualization	Version 4.1

Related CWEs

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References (6)

http://www.securityfocus.com/bid/104186

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:1452

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1117

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

http://www.securityfocus.com/bid/104186

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2018:1452

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1117

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.