It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/107561 | Third Party Advisory VDB Entry |
https://access.redhat.com/errata/RHBA-2019:0802 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3879 | Issue Tracking Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2019-03-25T18:30:17
Updated: 2019-04-29T10:06:01
Reserved: 2019-01-03T00:00:00
Link: CVE-2019-3879
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-03-25T19:29:02.023
Modified: 2020-10-19T18:09:38.257
Link: CVE-2019-3879
JSON object: View
Redhat Information
No data.
CWE