oss-sec mailing list archives
CVE request for vulnerability in OpenStack Neutron
From: Grant Murphy <gmurphy () redhat com>
Date: Tue, 16 Sep 2014 00:58:43 +1000
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Admin-only network attributes may be reset to defaults by non-privileged users Reporter: Elena Ezhova (Mirantis) Products: Neutron Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 Description: Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw. References: https://launchpad.net/bugs/1357379 Thanks in advance, -- Grant Murphy OpenStack Vulnerability Management Team
Attachment:
_bin
Description:
Current thread:
- CVE request for vulnerability in OpenStack Neutron Grant Murphy (Sep 15)
- Re: CVE request for vulnerability in OpenStack Neutron cve-assign (Sep 15)