Bug 1165311 (CVE-2014-7851)
| Summary: | CVE-2014-7851 ovirt-engine-webadmin: does not invalidate all sessions upon logout | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, alonbl, bazulay, bmcclain, dblechte, ecohen, gklein, idith, iheim, jrusnack, lsurette, michal.skrivanek, nobody, rbalakri, security-response-team, wmealing, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was found that oVirt did not correctly terminate sessions when a user logged out from the web interface. Upon logout, only the engine session was invalidated but the restapi session persisted. An attacker able to obtain the session data, and able to log in with their own credentials, could replace their session token with the stolen token and elevate their privileges to those of the victim user. Note that in order for this flaw to be exploited, the attacker must also have a valid login and authenticate successfully.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-02-16 05:23:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1167165, 1167166 | ||
| Bug Blocks: | 1163552 | ||
|
Description
Vincent Danen
2014-11-18 19:36:38 UTC
The original oVirt bug report is here: Bug #1161730 |