CVE-2017-2614
MEDIUMRed Hat Enterprise Virtualization - Unauthenticated Password Update on Expired Accounts
Title source: llmDescription
When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining access to those accounts.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0257.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2614
Scores
CVSS v3
6.8
EPSS
0.0028
EPSS Percentile
19.5%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Details
CWE
CWE-20
CWE-640
Status
published
Products (1)
redhat/enterprise_virtualization
4.0
Published
Jul 27, 2018
Tracked Since
Feb 18, 2026