CVE-2024-53916

Published: Nov 25, 2024Modified: Jan 6, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

Related CWEs

CWE-754

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

References (5)

https://github.com/openstack/neutron/blob/363ffa6e9e1ab5968f87d45bc2f1cb6394f48b9f/neutron/extensions/tagging.py#L138-L232

Source: cve@mitre.org

https://review.opendev.org/c/openstack/neutron/+/935883

Source: cve@mitre.org

https://review.opendev.org/q/project:openstack/neutron

Source: cve@mitre.org

https://security.openstack.org/ossa/OSSA-2024-005.html

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2024/12/03/1

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.