CVE-2014-0154 — Sensitive Information Exposure in Ovirt

CWE-200 — Sensitive Information Exposure CWE-522 — Insufficiently Protected Credentials6 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 53.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt

Timeline

PublishedFeb 13

Latest updateMay 17

Description

oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDovirt/ovirt3.4.4

Patches

Patch: rhn.redhat.com ↗Patch: rhn.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-3mxr-r8gm-qxvv: oVirt Engine before 3↗2022-05-17

▶

CVEList

CVE-2014-0154: oVirt Engine before 3↗2015-02-13

▶

📋Vendor Advisories

Red Hat

ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set↗2014-03-17

▶

💬Community

Bugzilla

CVE-2014-0154 ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set↗2014-03-28

▶

Bugzilla

CVE-2014-0154 ovirt-engine: ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set [fedora-all]↗2014-03-28

▶