CVE-2019-10139
cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.
Durante la implementación de HE a través de cockpit-ovirt, cockpit-ovirt genera un archivo variable ansible `/ var / lib / ovirt-hosts-configuración-cockpit / ansibleVarFileXXXXXX.var` que contiene las contraseñas del administrador y del dispositivo como plain-text. En el momento del procedimiento de implementación, estos archivos se suprimen.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-03-27 CVE Reserved
- 2019-05-17 CVE Published
- 2024-05-10 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-311: Missing Encryption of Sensitive Data
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/108396 | Third Party Advisory | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10139 | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:2433 | 2023-02-12 | |
https://access.redhat.com/errata/RHSA-2019:2437 | 2023-02-12 | |
https://access.redhat.com/security/cve/CVE-2019-10139 | 2019-08-12 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1709829 | 2019-08-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ovirt Search vendor "Ovirt" | Cockpit-ovirt Search vendor "Ovirt" for product "Cockpit-ovirt" | - | - |
Affected
|