Plain-text storage of admin and appliance passwords in ansible variable file during HE deployment via cockpit-ovirt

Plain-text storage of admin and appliance passwords in ansible variable file during HE deployment via cockpit-ovirt

CVE-2019-10139 · HIGH Severity

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ansible variable file `/var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileXXXXXX.var` which contains the admin and the appliance passwords as plain-text. At the of the deployment procedure, these files are deleted.

Learn more about our Web Application Penetration Testing UK.