Vulnerability Details CVE-2014-7851
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.9%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.0
References
Products affected by CVE-2014-7851
-
cpe:2.3:a:ovirt:ovirt:3.3.2
-
cpe:2.3:a:ovirt:ovirt:3.4.0
-
cpe:2.3:a:redhat:ovirt-engine:3.2.2
-
cpe:2.3:a:redhat:ovirt-engine:3.3
-
cpe:2.3:a:redhat:ovirt-engine:3.3.0.1
-
cpe:2.3:a:redhat:ovirt-engine:3.3.1
-
cpe:2.3:a:redhat:ovirt-engine:3.3.2
-
cpe:2.3:a:redhat:ovirt-engine:3.3.3
-
cpe:2.3:a:redhat:ovirt-engine:3.3.4
-
cpe:2.3:a:redhat:ovirt-engine:3.3.5
-
cpe:2.3:a:redhat:ovirt-engine:3.4.0
-
cpe:2.3:a:redhat:ovirt-engine:3.4.1
-
cpe:2.3:a:redhat:ovirt-engine:3.4.2
-
cpe:2.3:a:redhat:ovirt-engine:3.4.3
-
cpe:2.3:a:redhat:ovirt-engine:3.4.4
-
cpe:2.3:a:redhat:ovirt-engine:3.5.0