CVE-2019-10139 MEDIUM

CVE-2019-10139

Vendor Ovirt
Product cockpit-ovirt
Weakness CWE-522 · Insufficiently protected credentials
Published May 17, 2019
Last update August 4, 2024

CVSS base score

5.6/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.

Key dates

02Disclosure timeline

May 17, 2019 CVE published
August 4, 2024 Record updated