Описание
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
Ссылки
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- Issue TrackingThird Party Advisory
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- Issue TrackingThird Party Advisory
Уязвимые конфигурации
EPSS
6.5 Medium
CVSS3
8.1 High
CVSS3
5.5 Medium
CVSS2
Дефекты
Связанные уязвимости
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
EPSS
6.5 Medium
CVSS3
8.1 High
CVSS3
5.5 Medium
CVSS2