CVE-2014-0154: Infoleak
First published: Fri Feb 13 2015(Updated: )
oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ovirt | <=3.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability severity of CVE-2014-0154?
The severity of CVE-2014-0154 is considered medium due to its potential for exposing sensitive session information.
How can I fix CVE-2014-0154?
To fix CVE-2014-0154, update to oVirt Engine version 3.5.0 or later where the HTTPOnly flag is included in the Set-Cookie header.
What type of attacks can exploit CVE-2014-0154?
CVE-2014-0154 can be exploited through cross-site scripting (XSS) attacks that aim to access session cookies.
Which versions of oVirt are affected by CVE-2014-0154?
oVirt Engine versions prior to 3.5.0, including 3.4.4 and earlier, are affected by CVE-2014-0154.
Is it safe to continue using oVirt Engine if I have CVE-2014-0154?
Using an affected version of oVirt Engine poses a security risk, so it is recommended to upgrade to mitigate the vulnerability.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ovirt
- canonical/ovirt
- version/ovirt/3.4.4