An information disclosure in ovirt-hosted-engine-setup prior to 2.2.7 reveals the root user's password in the log file.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1000018 from the MITRE CVE dictionary dictionary and NIST NVD.
Released versions of Red Hat Enterprise Virtualization were not impacted by this issue in practice as the passwords were not saved in the answerfile during provisioning.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 6.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
Attack Vector | Local |
Attack Complexity | Low |
Privileges Required | Low |
User Interaction | None |
Scope | Changed |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | Low |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | ovirt-hosted-engine-setup | Will not fix |