CVE-2018-14635

6.5MEDIUM

Key Information:

Vendor
The Openstack Project
Status
Openstack-neutron
Vendor
CVE Published:
10 September 2018

Summary

When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3 and 11.0.5 are vulnerable.

Affected Version(s)

openstack-neutron 13.0.0.0b2, 12.0.3, 11.0.5

References

https://access.redhat.com/errata/RHSA-2018:2710
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2715
vendor-advisoryx_refsource_REDHAT
https://bugs.launchpad.net/neutron/+bug/1757482
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.