Homepage
About Snyk

neutron@18.0.0.0rc2 vulnerabilities

OpenStack Networking

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the neutron package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Denial of Service (DoS)

neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to allowing the unrestricted creation of security groups, which allows users to query a list of security groups for an invalid project and exceed their querying quota.

NOTE: This vulnerability exists due to an insufficient fix for CVE-2022-3277.

How to fix Denial of Service (DoS)?

There is no fixed version for neutron.

[0,)
  • M
Improper Authorization

neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API.

Affected versions of this package are vulnerable to Improper Authorization when a non-admin user tries to list security groups for project_id None, it will create a default security group for that project and returns an empty list to the caller.

How to fix Improper Authorization?

Upgrade neutron to version 21.0.0.0rc1 or higher.

[0,21.0.0.0rc1)
  • M
Information Exposure

neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API.

Affected versions of this package are vulnerable to Information Exposure. During live-migration there is a small time window where the ports of instances are untagged. Instances have a port trunked to the integration bridge and receive 802.1Q tagged private traffic from other tenants. If the port is administratively down during live migration, the port will remain in trunk mode indefinitely. Traffic is possible between ports that are administratively down, even between tenants self-service networks. This allows end users within their own private network to receive from, and send traffic to, other private networks on the same compute node.

How to fix Information Exposure?

Upgrade neutron to version 18.0.0 or higher.

[0,18.0.0)
  • M
Denial of Service (DoS)

neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API.

Affected versions of this package are vulnerable to Denial of Service (DoS). Anyone in control of a server instance may send carefully crafted packets and impersonate the hardware addresses of other network components. This may also allow interception of traffic in some cases.

How to fix Denial of Service (DoS)?

Upgrade neutron to version 18.1.0, 17.2.1, 16.4.1 or higher.

[18.0.0.0rc1,18.1.0) [17.0.0.0rc1,17.2.1) [,16.4.1)
Go back to all versions of this package