CVE-2019-10194

ovirt-engine-metrics: disclosure of sensitive passwords in log files and ansible playbooks

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.

Contraseñas confidenciales utilizadas en la implementación y configuración de oVirt Metrics, todas las versiones. Se detectó que no estaban suficientemente protegidas. Las contraseñas se pueden revelar en archivos de registro (si los playbooks se ejecutan con -v) o en los playbooks almacenados en los hosts de Metrics or Bastion.

The ovirt-engine-metrics package is used to collect and enrich metrics and logs from the Red Hat Virtualization Manager, hosts, and virtual machines. It includes Ansible scripts that configure Collectd and Fluentd on the Red Hat Virtualization Manager and hosts. It also stores remote metrics parameters. A password disclosure issue was addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-27 CVE Reserved
2019-07-11 CVE Published
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (5)

URL	Tag	Source
http://www.securityfocus.com/bid/109140	Broken Link

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:2499	2023-03-01
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10194	2023-03-01
https://access.redhat.com/security/cve/CVE-2019-10194	2019-08-15
https://bugzilla.redhat.com/show_bug.cgi?id=1726007	2019-08-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ovirt Search vendor "Ovirt"		Ovirt Search vendor "Ovirt" for product "Ovirt"				*		-		Affected
Redhat Search vendor "Redhat"		Virtualization Manager Search vendor "Redhat" for product "Virtualization Manager"				4.3 Search vendor "Redhat" for product "Virtualization Manager" and version "4.3"		-		Affected