CVE-2019-3879 MEDIUM

CVE-2019-3879

Vendor Unspecified

Product ovirt-engine

Weakness CWE-862 · Missing authorization

Published March 25, 2019

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

Key dates

02Disclosure timeline

March 25, 2019 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-3879 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-0984 ImageRecycle pdf & image compression <= 3.1.13 - Missing Authorization to Settings Update in disableOptimization CVE-2024-4744 WordPress iPages Flipbook plugin <= 1.5.1 - Broken Access Control vulnerability CVE-2026-8239 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_rating' CVE-2026-26979 Discourse: TL4 users are able to change status of restricted topics CVE-2026-22481 WordPress BD Courier Order Ratio Checker plugin <= 2.0.1 - Broken Access Control vulnerability