Lucene search

[email protected]CVE-2014-7851

HistoryOct 16, 2017 - 3:29 p.m.

CVE-2014-7851

2017-10-1615:29:00

CWE-264

[email protected]

web.nvd.nist.gov

ovirt

session token

replacement

vulnerability

cve-2014-7851

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

51.4%

JSON

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user’s session data to gain that user’s privileges by replacing their session token with that of another user.

Affected configurations

NVD

Node

ovirtovirtMatch3.3.2

ovirtovirtMatch3.4.0

redhatovirt-engineMatch3.2.2

redhatovirt-engineMatch3.3beta1

redhatovirt-engineMatch3.3rc1

redhatovirt-engineMatch3.3rc2

redhatovirt-engineMatch3.3.0.1

redhatovirt-engineMatch3.3.1

redhatovirt-engineMatch3.3.1beta1

redhatovirt-engineMatch3.3.1rc1

redhatovirt-engineMatch3.3.2beta1

redhatovirt-engineMatch3.3.3beta1

redhatovirt-engineMatch3.3.3rc1

redhatovirt-engineMatch3.3.4beta1

redhatovirt-engineMatch3.3.4rc1

redhatovirt-engineMatch3.3.5rc1

redhatovirt-engineMatch3.4.0beta1

redhatovirt-engineMatch3.4.0beta2

redhatovirt-engineMatch3.4.0beta3

redhatovirt-engineMatch3.4.0rc2

redhatovirt-engineMatch3.4.0rc3

redhatovirt-engineMatch3.4.1

redhatovirt-engineMatch3.4.1rc1

redhatovirt-engineMatch3.4.2

redhatovirt-engineMatch3.4.2rc1

redhatovirt-engineMatch3.4.3

redhatovirt-engineMatch3.4.3rc1

redhatovirt-engineMatch3.4.4

redhatovirt-engineMatch3.4.4rc1

redhatovirt-engineMatch3.5.0

CPENameOperatorVersion
ovirt:ovirtovirteq3.3.2
ovirt:ovirtovirteq3.4.0
redhat:ovirt-engineredhat ovirt-engineeq3.2.2
redhat:ovirt-engineredhat ovirt-engineeq3.3
redhat:ovirt-engineredhat ovirt-engineeq3.3.0.1
redhat:ovirt-engineredhat ovirt-engineeq3.3.1
redhat:ovirt-engineredhat ovirt-engineeq3.3.2
redhat:ovirt-engineredhat ovirt-engineeq3.3.3
redhat:ovirt-engineredhat ovirt-engineeq3.3.4
redhat:ovirt-engineredhat ovirt-engineeq3.3.5

CPE	Name	Operator	Version
ovirt:ovirt	ovirt	eq	3.3.2
ovirt:ovirt	ovirt	eq	3.4.0
redhat:ovirt-engine	redhat ovirt-engine	eq	3.2.2
redhat:ovirt-engine	redhat ovirt-engine	eq	3.3
redhat:ovirt-engine	redhat ovirt-engine	eq	3.3.0.1
redhat:ovirt-engine	redhat ovirt-engine	eq	3.3.1
redhat:ovirt-engine	redhat ovirt-engine	eq	3.3.2
redhat:ovirt-engine	redhat ovirt-engine	eq	3.3.3
redhat:ovirt-engine	redhat ovirt-engine	eq	3.3.4
redhat:ovirt-engine	redhat ovirt-engine	eq	3.3.5

Rows per page:

1-10 of 161

References

bugzilla.redhat.com/show_bug.cgi?id=1161730

bugzilla.redhat.com/show_bug.cgi?id=1165311

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

51.4%

JSON

Related for CVE-2014-7851

prion1 nvd1 cvelist1