Vulnerability Details : CVE-2017-15113
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.
Products affected by CVE-2017-15113
- cpe:2.3:a:redhat:virtualization:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:ovirt:ovirt:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15113
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15113
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:P/I:N/A:N |
6.8
|
2.9
|
NIST | |
6.6
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.7
|
5.9
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
0.6
|
6.0
|
Red Hat, Inc. |
CWE ids for CVE-2017-15113
-
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Assigned by: secalert@redhat.com (Secondary)
-
The product writes sensitive information to a log file.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15113
-
http://www.securityfocus.com/bid/101933
oVirt Engine CVE-2017-15113 Debug Logging Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15113
1512365 – (CVE-2017-15113) CVE-2017-15113 ovirt-engine: DEBUG logging includes unmasked passwordsIssue Tracking;Patch;Third Party Advisory
-
https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commitdiff;h=f4a5d0cc772127dbfe40789e26c4633ceea07d14;hp=e6e8704ac9eb115624ff66e2965877d8e63a45f4
gerrit.ovirt Code Review - ovirt-engine.git/commitdiffPatch;Vendor Advisory
-
https://access.redhat.com/errata/RHEA-2017:3138
RHEA-2017:3138 - Product Enhancement Advisory - Red Hat Customer PortalThird Party Advisory
Jump to