CVE Vulnerabilities

CVE-2014-8170

Use of Externally-Controlled Format String

Published: Sep 26, 2017 | Modified: Apr 20, 2025
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
9 HIGH
AV:N/AC:L/Au:S/C:C/I:C/A:C
RedHat/V2
6 MODERATE
AV:N/AC:M/Au:S/C:P/I:P/A:P
RedHat/V3
Ubuntu

ovirt_safe_delete_config in ovirtfunctions.py and other unspecified locations in ovirt-node 3.0.0-474-gb852fd7 as packaged in Red Hat Enterprise Virtualization 3 do not properly quote input strings, which allows remote authenticated users and physically proximate attackers to execute arbitrary commands via a ; (semicolon) in an input string.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name Vendor Start Version End Version
Ovirt-node Ovirt 3.0.0-474-gb852fd7 (including) 3.0.0-474-gb852fd7 (including)

Potential Mitigations

References