=========================================================================== OSSA-2024-005: Authorization bypassed when setting tags on Neutron networks ===========================================================================
:Date: December 03, 2024 :CVE: CVE-2024-53916 Affects ~~~~~~~ - Neutron: >=23.0.0 <23.2.1, >=24.0.0 <24.0.2, >=25.0.0 <25.0.1 Description ~~~~~~~~~~~ Tore Anderson of Redpill Linpro AS discovered that Neutron does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects which do not belong to the tenant, and this action is not being subjected to the proper policy authorization check. Patches ~~~~~~~ -https://review.opendev.org/c/openstack/neutron/+/936849 (2023.2/bobcat) -https://review.opendev.org/c/openstack/neutron/+/936846 (2024.1/caracal) -https://review.opendev.org/c/openstack/neutron/+/936843 (2024.2/dalmatian) -https://review.opendev.org/c/openstack/neutron/+/935883 (2025.1/epoxy) Credits ~~~~~~~ - Tore Anderson from Redpill Linpro AS (C, V, E, -, 2, 0, 2, 4, -, 5, 3, 9, 1, 6) References ~~~~~~~~~~ -https://launchpad.net/bugs/2088986 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53916 -- Jay Faulkner OpenStack VMT
OpenPGP_0x6B75D939B424C6D4.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
