Vulnerability Details : CVE-2019-3879
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
Products affected by CVE-2019-3879
- cpe:2.3:o:redhat:virtualization:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:ovirt:ovirt:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-3879
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-3879
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:P |
8.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
Red Hat, Inc. | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
2.8
|
5.2
|
NIST |
CWE ids for CVE-2019-3879
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2019-3879
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3879
1684978 – (CVE-2019-3879) CVE-2019-3879 ovirt-engine: Missing permissions check in web ui allows a user with basic privileges to delete disksIssue Tracking;Third Party Advisory
-
http://www.securityfocus.com/bid/107561
oVirt Engine CVE-2019-3879 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHBA-2019:0802
RHBA-2019:0802 - Bug Fix Advisory - Red Hat Customer PortalThird Party Advisory
Jump to