CVE-2017-2614

CWE-20 — Improper Input Validation CWE-6405 documents5 sources

Severity

6.3MEDIUM

EPSS

0.0%

top 89.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Ovirt-engine-extension-aaa-jdbc Redhat Enterprise Virtualization

Timeline

PublishedJul 27

Latest updateMay 13

Description

When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 2.5 | Impact: 3.7

Affected Packages2 packages

▶CVEListV5red_hat/ovirt-engine-extension-aaa-jdbc1.1.3

▶NVDredhat/enterprise_virtualization4.0

🔴Vulnerability Details

GHSA

GHSA-w5vv-xfcc-x3jc: When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1↗2022-05-13

▶

CVEList

CVE-2017-2614: When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1↗2018-07-27

▶

📋Vendor Advisories

Red Hat

rhev-m-4: Fails to validate existing expired passwords when changing a password↗2017-02-06

▶

💬Community

Bugzilla

CVE-2017-2614 rhev-m-4: Fails to validate existing expired passwords when changing a password↗2017-01-30

▶