Incorrect ID usage in policy enforcement in OpenStack Neutron through 25.0.0
CVE-2024-53916

7.5HIGH

Key Information:

Vendor: OpenStack
Status: Neutron
Vendor: CVE Published:; 25 November 2024

What is CVE-2024-53916?

A vulnerability exists in OpenStack Neutron versions prior to 25.0.1, where the system allows unprivileged tenants to alter network object tags without appropriate authorization checks. This issue arises from the incorrect application of policy enforcement in the neutron/extensions/tagging.py file, enabling potential misuse of network tagging features. The affected versions include Neutron 23.0.0 through 23.2.0, 24.0.0 to 24.0.1, and 25.0.0.

References

https://review.opendev.org/c/openstack/neutron/+/935883

https://review.opendev.org/q/project:openstack/neutron

https://github.com/openstack/neutron/blob/363ffa6e9e1ab59...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2024

CVE-2024-53916 Data

JSON