In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.
History

Wed, 04 Dec 2024 22:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Dec 2024 04:00:00 +0000

Type Values Removed Values Added
Description In OpenStack Neutron through 25.0.0, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. NOTE: 935883 has the "Work in Progress" status as of 2024-11-24. In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

Wed, 04 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
References

Wed, 27 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Openstack
Openstack neutron
CPEs cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*
Vendors & Products Openstack
Openstack neutron
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Tue, 26 Nov 2024 03:15:00 +0000

Type Values Removed Values Added
Title openstack-neutron: tagging.py can use an incorrect ID during policy enforcement
Weaknesses CWE-345
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate


Sun, 24 Nov 2024 23:30:00 +0000

Type Values Removed Values Added
Description In OpenStack Neutron through 25.0.0, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. NOTE: 935883 has the "Work in Progress" status as of 2024-11-24.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-11-24T00:00:00

Updated: 2024-12-04T22:01:18.911622Z

Reserved: 2024-11-24T00:00:00

Link: CVE-2024-53916

cve-icon Vulnrichment

Updated: 2024-12-04T01:30:22.263Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-25T00:15:04.423

Modified: 2024-12-04T22:15:22.840

Link: CVE-2024-53916

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-11-24T00:00:00Z

Links: CVE-2024-53916 - Bugzilla