CVE-2014-0153Sensitive Information Exposure in Ovirt

CWE-200Sensitive Information ExposureCWE-522Insufficiently Protected Credentials6 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 55.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ovirt
Timeline
PublishedSep 8
Latest updateMay 13

Description

The REST API in oVirt 3.4.0 and earlier stores session IDs in HTML5 local storage, which allows remote attackers to obtain sensitive information via a crafted web page.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDovirt/ovirt3.4.0

Patches

Patch: gerrit.ovirt.orgPatch: www.ovirt.orgPatch: gerrit.ovirt.org

🔴Vulnerability Details

2
GHSA
GHSA-mpx4-8rp2-j882: The REST API in oVirt 32022-05-13
CVEList
CVE-2014-0153: The REST API in oVirt 32014-09-08

📋Vendor Advisories

1
Red Hat
ovirt-engine-api: session ID stored in HTML5 local storage2014-03-17

💬Community

2
Bugzilla
CVE-2014-0153 ovirt-engine-api: session ID stored in HTML5 local storage2014-03-28
Bugzilla
CVE-2014-0153 ovirt-engine: ovirt-engine-api: session ID stored in HTML5 local storage [fedora-all]2014-03-28
CVE-2014-0153 — Sensitive Information Exposure in Ovirt | cvebase