CVE-2014-7851
Summary
| CVE | CVE-2014-7851 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-10-16 15:29:00 UTC |
| Updated | 2023-02-13 00:42:00 UTC |
| Description | oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ovirt | Ovirt | 3.3.2 | All | All | All |
| Application | Ovirt | Ovirt | 3.4.0 | All | All | All |
| Application | Ovirt | Ovirt | 3.3.2 | All | All | All |
| Application | Ovirt | Ovirt | 3.4.0 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.2.2 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.3 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3 | rc2 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.0.1 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.3.1 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.3.1 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.1 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.2 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.3 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.3 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.4 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.4 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.5 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | beta2 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | beta3 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | rc2 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | rc3 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.1 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.1 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.2 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.2 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.3 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.3 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.4 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.4 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.5.0 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.2.2 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.3 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3 | rc2 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.0.1 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.3.1 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.3.1 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.1 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.2 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.3 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.3 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.4 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.4 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.3.5 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | beta1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | beta2 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | beta3 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | rc2 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.0 | rc3 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.1 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.1 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.2 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.2 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.3 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.3 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.4.4 | All | All | All |
| Application | Redhat | Ovirt-engine | 3.4.4 | rc1 | All | All |
| Application | Redhat | Ovirt-engine | 3.5.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | MISC | access.redhat.com | |
| CVE-2014-7851 - Red Hat Customer Portal | MISC | access.redhat.com | |
| 1161730 – Logout must logout all sessions | CONFIRM | bugzilla.redhat.com | Issue Tracking |
| 1165311 – (CVE-2014-7851) CVE-2014-7851 ovirt-engine-webadmin: does not invalidate all sessions upon logout | CONFIRM | bugzilla.redhat.com | Issue Tracking |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.