Ovirt: Security Vulnerabilities
Session fixation vulnerability in the web admin interface in oVirt 3.4.0 and earlier allows remote attackers to hijack web sessions via unspecified vectors.
CVSS Score
6.8
EPSS Score
0.004
Published
2014-09-08
The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page.
CVSS Score
4.3
EPSS Score
0.002
Published
2014-09-08
The setup_logging function in log.h in SANLock uses world-writable permissions for /var/log/sanlock.log, which allows local users to overwrite the file content or bypass intended disk-quota restrictions via standard filesystem write operations.
CVSS Score
3.6
EPSS Score
0.0
Published
2012-12-20
The python SDK before 3.1.0.6 and CLI before 3.1.0.8 for oVirt 3.1 does not check the server SSL certificate against the client keys, which allows remote attackers to spoof a server via a man-in-the-middle (MITM) attack.
CVSS Score
5.0
EPSS Score
0.003
Published
2012-08-31
Page 4