{
  "threat_severity" : "Moderate",
  "public_date" : "2014-03-17T00:00:00Z",
  "bugzilla" : {
    "description" : "ovirt-engine-webadmin: HttpOnly flag is not included when the session ID is set",
    "id" : "1081896",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1081896"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-522",
  "details" : [ "oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.", "It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. This flaw could make it is easier for a remote attacker to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability." ],
  "affected_release" : [ {
    "product_name" : "RHEV Manager version 3.5",
    "release_date" : "2015-02-11T00:00:00Z",
    "advisory" : "RHSA-2015:0158",
    "cpe" : "cpe:/a:redhat:rhev_manager:3",
    "package" : "org.ovirt.engine-root-0:3.5.0-29"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-0154\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0154" ],
  "name" : "CVE-2014-0154",
  "csaw" : false
}