CVE-2014-7851

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
ovirtovirt
3.3.2
ovirtovirt
3.4.0
redhatovirt-engine
3.2.2
redhatovirt-engine
3.3:beta1
redhatovirt-engine
3.3:rc1
redhatovirt-engine
3.3:rc2
redhatovirt-engine
3.3.0.1
redhatovirt-engine
3.3.1
redhatovirt-engine
3.3.1:beta1
redhatovirt-engine
3.3.1:rc1
redhatovirt-engine
3.3.2:beta1
redhatovirt-engine
3.3.3:beta1
redhatovirt-engine
3.3.3:rc1
redhatovirt-engine
3.3.4:beta1
redhatovirt-engine
3.3.4:rc1
redhatovirt-engine
3.3.5:rc1
redhatovirt-engine
3.4.0:beta1
redhatovirt-engine
3.4.0:beta2
redhatovirt-engine
3.4.0:beta3
redhatovirt-engine
3.4.0:rc2
redhatovirt-engine
3.4.0:rc3
redhatovirt-engine
3.4.1
redhatovirt-engine
3.4.1:rc1
redhatovirt-engine
3.4.2
redhatovirt-engine
3.4.2:rc1
redhatovirt-engine
3.4.3
redhatovirt-engine
3.4.3:rc1
redhatovirt-engine
3.4.4
redhatovirt-engine
3.4.4:rc1
redhatovirt-engine
3.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1161730
https://bugzilla.redhat.com/show_bug.cgi?id=1165311
https://bugzilla.redhat.com/show_bug.cgi?id=1161730
https://bugzilla.redhat.com/show_bug.cgi?id=1165311