Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-53916

Опубликовано: 24 нояб. 2024
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

A flaw was found in OpenStack Neutron. The service tagging policy engine insufficiently verifies the parent resource or the upper parent resource project ID when checking the policies against the caller project ID.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenStack Platform 16.2openstack-heatNot affected
Red Hat OpenStack Platform 16.2openstack-neutronAffected
Red Hat OpenStack Platform 17.1openstack-heatNot affected
Red Hat OpenStack Platform 17.1openstack-neutronAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-345
https://bugzilla.redhat.com/show_bug.cgi?id=2328595openstack-neutron: tagging.py can use an incorrect ID during policy enforcement

EPSS

Процентиль: 49%
0.00257
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-53916

CVSS3: 7.5
ubuntu
около 1 года назад

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

nvd логотип

CVE-2024-53916

CVSS3: 7.5
nvd
около 1 года назад

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

debian логотип

CVE-2024-53916

CVSS3: 7.5
debian
около 1 года назад

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can ...

github логотип

GHSA-f27h-g923-68hw

CVSS3: 7.5
github
около 1 года назад

OpenStack Neutron can use an incorrect ID during policy enforcement

EPSS

Процентиль: 49%
0.00257
Низкий

5.3 Medium

CVSS3