Vulnerabilities (CVE)

Vendor filter

Redhat Subscribe

Product filter

Virtualization Subscribe

Filter

79 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-3879 2 Ovirt, Redhat 2 Ovirt, Virtualization 2019-10-09 5.5
It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low...
CVE-2019-10168 1 Redhat 9 Libvirt, Enterprise Linux, Enterprise Linux Desktop and 6 more 2019-10-09 4.6
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt...
CVE-2019-10167 1 Redhat 9 Libvirt, Enterprise Linux, Enterprise Linux Desktop and 6 more 2019-10-09 4.6
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to...
CVE-2019-10166 1 Redhat 9 Libvirt, Enterprise Linux, Enterprise Linux Desktop and 6 more 2019-10-09 4.6
It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had...
CVE-2018-1114 1 Redhat 3 Undertow, Virtualization, Virtualization Host 2019-10-09 4.0
It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.
CVE-2018-1073 2 Ovirt, Redhat 3 Ovirt, Redhat Virtualization, Virtualization 2019-10-09 5.0
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-1067 1 Redhat 3 Jboss Enterprise Application Platform, Undertow, Virtualization 2019-10-09 5.8
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient...
CVE-2018-10936 2 Postgresql, Redhat 3 Postgresql Jdbc Driver, Enterprise Linux, Virtualization 2019-10-09 6.8
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle...
CVE-2018-10908 2 Redhat, Ovirt 2 Virtualization, Vdsm 2019-10-09 7.1
It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU...
CVE-2018-10873 4 Spice Project, Redhat, Canonical and 1 more 11 Spice, Virtualization, Virtualization Host and 8 more 2019-10-09 6.5
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to...
CVE-2017-7539 2 Qemu, Redhat 3 Qemu, Openstack, Virtualization 2019-10-09 5.0
An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data...
CVE-2017-15119 4 Qemu, Redhat, Canonical and 1 more 4 Qemu, Virtualization, Ubuntu Linux and 1 more 2019-10-09 5.0
The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A...
CVE-2017-15113 2 Ovirt, Redhat 2 Ovirt, Virtualization 2019-10-09 3.5
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level...
CVE-2017-12196 1 Redhat 4 Jboss Enterprise Application Platform, Jboss Fuse, Undertow and 1 more 2019-10-09 4.3
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows...
CVE-2016-8647 1 Redhat 2 Virtualization, Ansible Engine 2019-10-09 4.0
An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.
CVE-2017-15121 1 Redhat 8 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server and 5 more 2019-10-09 4.9
A non-privileged user is able to mount a fuse filesystem on RHEL 6 or 7 and crash a system if an application punches a hole in a file that does not end aligned to a page boundary.
CVE-2018-1088 1 Redhat 4 Gluster Storage, Virtualization, Virtualization Host and 1 more 2019-10-03 6.8
A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
CVE-2018-6764 3 Redhat, Canonical, Debian 7 Libvirt, Virtualization, Ubuntu Linux and 4 more 2019-10-03 4.6
util/virlog.c in libvirt does not properly determine the hostname on LXC container startup, which allows local guest OS users to bypass an intended container protection mechanism and execute arbitrary commands via a crafted NSS module.
CVE-2018-16838 2 Fedoraproject, Redhat 3 Sssd, Enterprise Linux, Virtualization 2019-10-03 5.5
A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.
CVE-2018-10915 4 Postgresql, Redhat, Canonical and 1 more 9 Postgresql, Openstack, Virtualization and 6 more 2019-10-03 6.0
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from...