CVE-2014-7851

high

Description

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1165311

https://bugzilla.redhat.com/show_bug.cgi?id=1161730

Details

Source: Mitre, NVD

Published: 2017-10-16

Updated: 2026-05-13

Risk Information

CVSS v2

Base Score: 6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00409