Red Hat Bugzilla – Bug 1081849
CVE-2014-0151 ovirt-engine: cross-site request forgery (CSRF)
Last modified: 2016-12-04 15:39:09 EST
The oVirt REST API is vulnerable to Cross-Site Request Forgery (CSRF) attacks. A remote attacker could provide a specially-crafted web page that, when visited by a user with a valid REST API session, would allow the attacker to trigger calls to the oVirt REST API.
Created ovirt-engine tracking bugs for this issue:
Affects: fedora-all [bug 1081906]
Note that the same vulnerability affects the oVirt backend/GUI, as an attacker can also craft a request for the GWT RPC servlet using the same method.
This issue has been addressed in the following products:
RHEV Manager version 3.5
Via RHSA-2015:0158 https://rhn.redhat.com/errata/RHSA-2015-0158.html