{"containers": {"cna": {"affected": [{"product": "oVirt", "vendor": "oVirt", "versions": [{"status": "affected", "version": "4.1.x before 4.1.9"}]}], "datePublic": "2018-03-06T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-212", "description": "CWE-212", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-03-20T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549944"}, {"name": "RHBA-2018:0135", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHBA-2018:0135"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gerrit.ovirt.org/#/c/84875/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://gerrit.ovirt.org/#/c/84861/"}, {"name": "103433", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103433"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "DATE_PUBLIC": "2018-03-06T00:00:00", "ID": "CVE-2018-1062", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "oVirt", "version": {"version_data": [{"version_value": "4.1.x before 4.1.9"}]}}]}, "vendor_name": "oVirt"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-212"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1549944", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549944"}, {"name": "RHBA-2018:0135", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHBA-2018:0135"}, {"name": "https://gerrit.ovirt.org/#/c/84875/", "refsource": "CONFIRM", "url": "https://gerrit.ovirt.org/#/c/84875/"}, {"name": "https://gerrit.ovirt.org/#/c/84861/", "refsource": "CONFIRM", "url": "https://gerrit.ovirt.org/#/c/84861/"}, {"name": "103433", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103433"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:48.337Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549944"}, {"name": "RHBA-2018:0135", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHBA-2018:0135"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gerrit.ovirt.org/#/c/84875/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gerrit.ovirt.org/#/c/84861/"}, {"name": "103433", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103433"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-1062", "datePublished": "2018-03-06T15:00:00Z", "dateReserved": "2017-12-04T00:00:00", "dateUpdated": "2024-09-17T02:16:32.159Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ovirt-engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "39DAC583-E6BA-4AFF-945D-B4BC682CE1C6", "versionEndExcluding": "4.1.9", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad en versiones 4.1.x anteriores a la 4.1.9 de oVirt, donde la combinaci\u00f3n de las marcas Enable Discard y Wipe After Delete para los discos de m\u00e1quinas virtuales gestionados por oVirt podr\u00eda provocar que el disco tome el valor cero al eliminarse de una VM. Si los mismos bloques de almacenamiento se reasignan a un nuevo disco conectado a otra m\u00e1quina virtual, datos potencialmente sensibles podr\u00edan revelarse a usuarios privilegiados de esa m\u00e1quina virtual."}], "id": "CVE-2018-1062", "lastModified": "2020-02-18T19:07:48.563", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-06T15:29:00.220", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103433"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHBA-2018:0135"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549944"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://gerrit.ovirt.org/#/c/84861/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://gerrit.ovirt.org/#/c/84875/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-212"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-212"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Idan Shaby (Red Hat).", "affected_release": [{"advisory": "RHBA-2018:0135", "cpe": "cpe:/a:redhat:rhev_manager:4", "package": "org.ovirt.engine-root-0:4.1.9.1-1", "product_name": "Red Hat Virtualization Engine 4.1", "release_date": "2018-01-24T00:00:00Z"}], "bugzilla": {"description": "ovirt-engine: When Wipe After Delete (WAD) and Enable Discard are both enabled for a VM disk, discarded data might not be wiped after the disk is removed.", "id": "1549944", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1549944"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-212", "details": ["A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM.", "It was discovered that the combination of Enable Discard and Wipe After Delete flags for VM disks managed by oVirt, could cause a disk to be incompletely zeroed when removed from a VM. If the same storage blocks happen to be later allocated to a new disk attached to another VM, potentially sensitive data could be revealed to privileged users of that VM."], "name": "CVE-2018-1062", "package_state": [{"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "org.ovirt.engine-root", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "package_name": "ovirt-engine", "product_name": "Red Hat Virtualization 4"}], "public_date": "2018-03-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1062\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1062\nhttps://gerrit.ovirt.org/#/c/84861\nhttps://gerrit.ovirt.org/#/c/84875"], "threat_severity": "Low", "upstream_fix": "ovirt-engine 4.1.9"}