GHSA-f27h-g923-68hw

Suggest an improvement
Source
https://github.com/advisories/GHSA-f27h-g923-68hw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-f27h-g923-68hw/GHSA-f27h-g923-68hw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f27h-g923-68hw
Aliases
Published
2024-11-25T00:31:55Z
Modified
2025-01-09T16:09:29.263776Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenStack Neutron can use an incorrect ID during policy enforcement
Details

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

Database specific 
{
    "nvd_published_at": "2024-11-25T00:15:04Z",
    "cwe_ids": [
        "CWE-345",
        "CWE-754"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-25T15:29:24Z"
}
References

Affected packages

PyPI / neutron

Package

Name
neutron
View open source insights on deps.dev
Purl
pkg:pypi/neutron

Affected ranges

Type
ECOSYSTEM
Events
Introduced
23.0.0
Fixed
23.2.1

Affected versions

23.*

23.0.0
23.1.0
23.2.0

PyPI / neutron

Package

Name
neutron
View open source insights on deps.dev
Purl
pkg:pypi/neutron

Affected ranges

Type
ECOSYSTEM
Events
Introduced
24.0.0
Fixed
24.0.2

Affected versions

24.*

24.0.0
24.0.1

PyPI / neutron

Package

Name
neutron
View open source insights on deps.dev
Purl
pkg:pypi/neutron

Affected ranges

Type
ECOSYSTEM
Events
Introduced
25.0.0
Fixed
25.0.1

Affected versions

25.*

25.0.0