CVE-2016-6341

oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/92665	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1363816	Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1369793	Issue Tracking
https://www.ovirt.org/release/4.0.3/	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ovirt:ovirt:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-04-20 17:59

Updated : 2024-02-04 19:11

NVD link : CVE-2016-6341

Mitre link : CVE-2016-6341

CVE.ORG link : CVE-2016-6341

JSON object : View

Products Affected

ovirt

ovirt

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2016-6341", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2017-04-20T17:59:00.993", "references": [{"url": "http://www.securityfocus.com/bid/92665", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1363816", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369793", "tags": ["Issue Tracking"], "source": "secalert@redhat.com"}, {"url": "https://www.ovirt.org/release/4.0.3/", "tags": ["Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "oVirt Engine before 4.0.3 does not include DWH_DB_PASSWORD in the list of keys to hide in log files, which allows local users to obtain sensitive password information by reading engine log files."}, {"lang": "es", "value": "oVirt Engine en versiones anteriores a 4.0.3 no incluye DWH_DB_PASSWORD en el listado de claves que se ocultan en los archivos de registro, lo que permite a usuarios locales obtener informaci\u00f3n sensible de contrase\u00f1as mediante la lectura de los archivos de registro de motor."}], "lastModified": "2017-04-25T19:02:26.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ovirt:ovirt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9647383B-738F-4076-B227-39CAFFB411F1", "versionEndIncluding": "4.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}