oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1161730 | Issue Tracking |
https://bugzilla.redhat.com/show_bug.cgi?id=1165311 | Issue Tracking |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2017-10-16T15:00:00
Updated: 2017-10-16T14:57:01
Reserved: 2014-10-03T00:00:00
Link: CVE-2014-7851
JSON object: View
NVD Information
Status : Modified
Published: 2017-10-16T15:29:00.230
Modified: 2023-02-13T00:42:36.810
Link: CVE-2014-7851
JSON object: View
Redhat Information
No data.
CWE