CVE-2014-7851 — Insufficient Session Expiration in Ovirt

CWE-264 CWE-613 — Insufficient Session Expiration6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 40.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ovirt Redhat Ovirt-engine

Timeline

PublishedOct 16

Latest updateMay 13

Description

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDovirt/ovirt3.3.2, 3.4.0+1

▶NVDredhat/ovirt-engine14 versions+13

🔴Vulnerability Details

GHSA

GHSA-353g-73mj-6wf9: oVirt 3↗2022-05-13

▶

CVEList

CVE-2014-7851: oVirt 3↗2017-10-16

▶

📋Vendor Advisories

Red Hat

ovirt-engine-webadmin: does not invalidate all sessions upon logout↗2015-02-17

▶

💬Community

Bugzilla

CVE-2014-7851 ovirt-engine-webadmin: does not invalidate all sessions upon logout↗2014-11-18

▶