cvedb.io
CVE-2019-3879
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2019-03-25T19:29:02.023 · Last modified 2026-06-17T02:35:47.560

Summary

It was discovered that in the ovirt's REST API before version 4.3.2.1, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.

Affected products

ovirt — ovirt

Does this affect you?

Add your gear to cvedb and we'll alert you only when ovirt ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.