CVE-2014-7851

moderate-risk
Published 2017-10-16

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / HIGH complexity

Affected Products (20)

Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt-Engine
Ovirt
Ovirt

Affected Vendors

Ovirt Redhat

References (4)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1161730
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1165311
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1161730
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1165311
45
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 1/34 · Minimal
Exposure 22/34 · High