High severity7.5NVD Advisory· Published Oct 16, 2017· Updated May 13, 2026

CVE-2014-7851

Description

oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.

Affected products

Ovirt/Ovirt2 versions
cpe:2.3:a:ovirt:ovirt:3.3.2:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:ovirt:ovirt:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ovirt:ovirt:3.4.0:*:*:*:*:*:*:*
Red Hat/Ovirt Engine28 versions
cpe:2.3:a:redhat:ovirt-engine:3.2.2:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:redhat:ovirt-engine:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.4:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.4.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ovirt-engine:3.5.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugzilla.redhat.com/show_bug.cginvdIssue Tracking
bugzilla.redhat.com/show_bug.cginvdIssue Tracking

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000