CVE-2024-0822 - OpenCVE

An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Ovirt	Ovirt-engine

Configuration 1 [-]

cpe:2.3:a:ovirt:ovirt-engine:-:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:0934
https://access.redhat.com/security/cve/CVE-2024-0822	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2258509	Exploit Issue Tracking Third Party Advisory
https://github.com/oVirt/ovirt-engine/pull/914

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2024-01-25T15:18:20.439Z

Updated: 2024-05-01T20:21:49.552Z

Reserved: 2024-01-23T14:15:45.514Z

Link: CVE-2024-0822

JSON object: View

NVD Information

Status : Modified

Published: 2024-01-25T16:15:08.743

Modified: 2024-02-21T21:15:08.900

Link: CVE-2024-0822

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2024-0822", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-01-23T14:15:45.514Z", "datePublished": "2024-01-25T15:18:20.439Z", "dateUpdated": "2024-05-01T20:21:49.552Z"}, "containers": {"cna": {"title": "Ovirt: authentication bypass", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command."}], "affected": [{"versions": [{"status": "affected", "version": "4.5.0", "lessThan": "4.5.6", "versionType": "semver"}], "packageName": "ovirt-engine", "collectionURL": "https://ovirt.org/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Virtualization Engine 4.4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ovirt-engine", "defaultStatus": "affected", "versions": [{"version": "0:4.5.3.10-1.el8ev", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhev_manager:4.4:el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:0934", "name": "RHSA-2024:0934", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-0822", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258509", "name": "RHBZ#2258509", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/oVirt/ovirt-engine/pull/914"}], "datePublic": "2024-01-15T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-1390", "description": "Weak Authentication", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-1390: Weak Authentication", "timeline": [{"lang": "en", "time": "2024-01-15T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-15T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-01T20:21:49.552Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ovirt:ovirt-engine:-:*:*:*:*:*:*:*", "matchCriteriaId": "DF146A38-CD7E-4A6D-9343-EB0ACA61D5EC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability was found in overt-engine. This flaw allows the creation of users in the system without authentication due to a flaw in the CreateUserSession command."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n en overt-engine. Este fallo permite la creaci\u00f3n de usuarios en el sistema sin autenticaci\u00f3n debido a un fallo en el comando CreateUserSession."}], "id": "CVE-2024-0822", "lastModified": "2024-02-21T21:15:08.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-01-25T16:15:08.743", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:0934"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-0822"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258509"}, {"source": "secalert@redhat.com", "url": "https://github.com/oVirt/ovirt-engine/pull/914"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1390"}], "source": "secalert@redhat.com", "type": "Secondary"}]}