CVE-2018-1062

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM.

Se ha descubierto una vulnerabilidad en versiones 4.1.x anteriores a la 4.1.9 de oVirt, donde la combinación de las marcas Enable Discard y Wipe After Delete para los discos de máquinas virtuales gestionados por oVirt podría provocar que el disco tome el valor cero al eliminarse de una VM. Si los mismos bloques de almacenamiento se reasignan a un nuevo disco conectado a otra máquina virtual, datos potencialmente sensibles podrían revelarse a usuarios privilegiados de esa máquina virtual.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-12-04 CVE Reserved
2018-03-06 CVE Published
2023-07-28 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

CAPEC

References (5)

URL	Tag	Source
http://www.securityfocus.com/bid/103433	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1549944	Issue Tracking

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHBA-2018:0135	2020-02-18
https://gerrit.ovirt.org/#/c/84861	2020-02-18
https://gerrit.ovirt.org/#/c/84875	2020-02-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Ovirt-engine Search vendor "Redhat" for product "Ovirt-engine"				>= 4.1.0 < 4.1.9 Search vendor "Redhat" for product "Ovirt-engine" and version " >= 4.1.0 < 4.1.9"		-		Affected