Lucene search

[email protected]CVE-2017-2614

HistoryJul 27, 2018 - 6:29 p.m.

CVE-2017-2614

2018-07-2718:29:00

CWE-640

[email protected]

web.nvd.nist.gov

cve-2017-2614

rhvm database

password update

ovirt-aaa-jdbc-tool

expired password

unauthorized access

nvd

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

6.3 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

11.7%

JSON

When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.

CPENameOperatorVersion
redhat:enterprise_virtualizationredhat enterprise virtualizationeq4.0

CPE	Name	Operator	Version
redhat:enterprise_virtualization	redhat enterprise virtualization	eq	4.0

References

rhn.redhat.com/errata/RHSA-2017-0257.html

bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2614

6.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

6.3 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

11.7%

JSON

Related for CVE-2017-2614

prion1 veracode1 redhatcve1 nessus1 redhat1