CVE-2014-7851

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

Published: Oct 16, 2017
Updated: Apr 13, 2023
CVE: CVE-2014-7851
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
ovirt / ovirt	3.3.2	3.3.2.x
ovirt / ovirt	3.4.0	3.4.0.x
redhat / ovirt-engine	3.2.2	3.2.2.x
redhat / ovirt-engine	3.3-beta1	3.3-beta1.x
redhat / ovirt-engine	3.3-rc1	3.3-rc1.x
redhat / ovirt-engine	3.3-rc2	3.3-rc2.x
redhat / ovirt-engine	3.3.0.1	3.3.0.1.x
redhat / ovirt-engine	3.3.1-beta1	3.3.1-beta1.x
redhat / ovirt-engine	3.3.1	3.3.1.x
redhat / ovirt-engine	3.3.1-rc1	3.3.1-rc1.x
redhat / ovirt-engine	3.3.2-beta1	3.3.2-beta1.x
redhat / ovirt-engine	3.3.3-beta1	3.3.3-beta1.x
redhat / ovirt-engine	3.3.3-rc1	3.3.3-rc1.x
redhat / ovirt-engine	3.3.4-beta1	3.3.4-beta1.x
redhat / ovirt-engine	3.3.4-rc1	3.3.4-rc1.x
redhat / ovirt-engine	3.3.5-rc1	3.3.5-rc1.x
redhat / ovirt-engine	3.4.0-beta1	3.4.0-beta1.x
redhat / ovirt-engine	3.4.0-beta2	3.4.0-beta2.x
redhat / ovirt-engine	3.4.0-beta3	3.4.0-beta3.x
redhat / ovirt-engine	3.4.0-rc2	3.4.0-rc2.x
redhat / ovirt-engine	3.4.0-rc3	3.4.0-rc3.x
redhat / ovirt-engine	3.4.1	3.4.1.x
redhat / ovirt-engine	3.4.1-rc1	3.4.1-rc1.x
redhat / ovirt-engine	3.4.2	3.4.2.x
redhat / ovirt-engine	3.4.2-rc1	3.4.2-rc1.x
redhat / ovirt-engine	3.4.3	3.4.3.x
redhat / ovirt-engine	3.4.3-rc1	3.4.3-rc1.x
redhat / ovirt-engine	3.4.4	3.4.4.x
redhat / ovirt-engine	3.4.4-rc1	3.4.4-rc1.x
redhat / ovirt-engine	3.5.0	3.5.0.x

Vulnerability Database

289,599

CVE-2014-7851