Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1081896 - (CVE-2014-0154) CVE-2014-0154 ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set
CVE-2014-0154 ovirt-engine-webadmin: HttpOnly flag is not included when the s...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140317,repor...
: Security
Depends On: 1081927 1081928 1081929
Blocks: 1103966
  Show dependency treegraph
 
Reported: 2014-03-28 03:15 EDT by David Jorm
Modified: 2018-07-18 10:26 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. This flaw could make it is easier for a remote attacker to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0158 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 17:38:50 EST

  None (edit)
Description David Jorm 2014-03-28 03:15:55 EDT 
It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. As a result, it is easier for remote attackers to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability.
Comment 1 David Jorm 2014-03-28 03:33:18 EDT 
Upstream bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1077450

Upstream patch commit:

http://gerrit.ovirt.org/#/c/25915/
Comment 3 David Jorm 2014-03-28 04:19:59 EDT 
Created ovirt-engine tracking bugs for this issue:

Affects: fedora-all [bug 1081929]
Comment 7 errata-xmlrpc 2015-02-11 12:59:52 EST 
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0158 https://rhn.redhat.com/errata/RHSA-2015-0158.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.