CVE-2017-15113

Severity Score

6.6

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.

ovirt-engine en versiones anteriores a la 4.1.7.6 con el nivel de registro configurado en DEBUG incluye contraseñas en el archivo de registro sin enmascarar. Solo los administradores pueden cambiar el nivel de registro y solo los administradores pueden acceder a los registros. Esto presenta un riesgo cuando los registros de nivel de depuración se comparten con proveedores u otras partes para solucionar problemas.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-10-08 CVE Reserved
2018-07-27 CVE Published
2024-02-20 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (4)

URL	Tag	Source
http://www.securityfocus.com/bid/101933	Third Party Advisory
https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git%3Ba=commitdiff%3Bh=f4a5d0cc772127dbfe40789e26c4633ceea07d14%3Bhp=e6e8704ac9eb115624ff66e2965877d8e63a45f4	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15113	2023-11-07

URL	Date	SRC
https://access.redhat.com/errata/RHEA-2017:3138	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ovirt Search vendor "Ovirt"		Ovirt Search vendor "Ovirt" for product "Ovirt"				< 4.1.7.6 Search vendor "Ovirt" for product "Ovirt" and version " < 4.1.7.6"		-		Affected
Redhat Search vendor "Redhat"		Virtualization Search vendor "Redhat" for product "Virtualization"				4.1 Search vendor "Redhat" for product "Virtualization" and version "4.1"		-		Affected