Session fixation

2017-10-1615:29:00

PRIOn knowledge base

www.prio-n.com

7.1 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

51.6%

JSON

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user’s session data to gain that user’s privileges by replacing their session token with that of another user.

CPENameOperatorVersion
ovirteq3.3.2
ovirteq3.4.0
ovirt-engineeq3.2.2
ovirt-engineeq3.3 beta1
ovirt-engineeq3.3 rc1
ovirt-engineeq3.3 rc2
ovirt-engineeq3.3.0.1
ovirt-engineeq3.3.1 beta1
ovirt-engineeq3.3.1
ovirt-engineeq3.3.1 rc1

Name	Operator	Version
ovirt	eq	3.3.2
ovirt	eq	3.4.0
ovirt-engine	eq	3.2.2
ovirt-engine	eq	3.3 beta1
ovirt-engine	eq	3.3 rc1
ovirt-engine	eq	3.3 rc2
ovirt-engine	eq	3.3.0.1
ovirt-engine	eq	3.3.1 beta1
ovirt-engine	eq	3.3.1
ovirt-engine	eq	3.3.1 rc1