CVE Vulnerabilities

CVE-2014-7851

Published: Oct 16, 2017 | Modified: Feb 13, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6 MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P
RedHat/V2
4.6 MODERATE
AV:N/AC:H/Au:S/C:P/I:P/A:P
RedHat/V3
Ubuntu

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another users session data to gain that users privileges by replacing their session token with that of another user.

Affected Software

Name Vendor Start Version End Version
Ovirt Ovirt 3.3.2 (including) 3.3.2 (including)
Ovirt Ovirt 3.4.0 (including) 3.4.0 (including)
Ovirt-engine Redhat 3.2.2 (including) 3.2.2 (including)
Ovirt-engine Redhat 3.3-beta1 (including) 3.3-beta1 (including)
Ovirt-engine Redhat 3.3-rc1 (including) 3.3-rc1 (including)
Ovirt-engine Redhat 3.3-rc2 (including) 3.3-rc2 (including)
Ovirt-engine Redhat 3.3.0.1 (including) 3.3.0.1 (including)
Ovirt-engine Redhat 3.3.1 (including) 3.3.1 (including)
Ovirt-engine Redhat 3.3.1-beta1 (including) 3.3.1-beta1 (including)
Ovirt-engine Redhat 3.3.1-rc1 (including) 3.3.1-rc1 (including)
Ovirt-engine Redhat 3.3.2-beta1 (including) 3.3.2-beta1 (including)
Ovirt-engine Redhat 3.3.3-beta1 (including) 3.3.3-beta1 (including)
Ovirt-engine Redhat 3.3.3-rc1 (including) 3.3.3-rc1 (including)
Ovirt-engine Redhat 3.3.4-beta1 (including) 3.3.4-beta1 (including)
Ovirt-engine Redhat 3.3.4-rc1 (including) 3.3.4-rc1 (including)
Ovirt-engine Redhat 3.3.5-rc1 (including) 3.3.5-rc1 (including)
Ovirt-engine Redhat 3.4.0-beta1 (including) 3.4.0-beta1 (including)
Ovirt-engine Redhat 3.4.0-beta2 (including) 3.4.0-beta2 (including)
Ovirt-engine Redhat 3.4.0-beta3 (including) 3.4.0-beta3 (including)
Ovirt-engine Redhat 3.4.0-rc2 (including) 3.4.0-rc2 (including)
Ovirt-engine Redhat 3.4.0-rc3 (including) 3.4.0-rc3 (including)
Ovirt-engine Redhat 3.4.1 (including) 3.4.1 (including)
Ovirt-engine Redhat 3.4.1-rc1 (including) 3.4.1-rc1 (including)
Ovirt-engine Redhat 3.4.2 (including) 3.4.2 (including)
Ovirt-engine Redhat 3.4.2-rc1 (including) 3.4.2-rc1 (including)
Ovirt-engine Redhat 3.4.3 (including) 3.4.3 (including)
Ovirt-engine Redhat 3.4.3-rc1 (including) 3.4.3-rc1 (including)
Ovirt-engine Redhat 3.4.4 (including) 3.4.4 (including)
Ovirt-engine Redhat 3.4.4-rc1 (including) 3.4.4-rc1 (including)
Ovirt-engine Redhat 3.5.0 (including) 3.5.0 (including)
RHEV Manager version 3.5 RedHat org.ovirt.engine-root-0:3.5.0-32 *

References