Improper Authorization Affecting neutron package, versions [0,21.0.0.0rc1)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.1% (42nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-NEUTRON-3031732
- published 23 Sep 2022
- disclosed 29 Aug 2022
- credit Unknown
Introduced: 29 Aug 2022
CVE-2022-3277 Open this link in a new tabHow to fix?
Upgrade neutron
to version 21.0.0.0rc1 or higher.
Overview
neutron is an OpenStack project to provide “network connectivity as a service” between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., nova). It implements the Neutron API.
Affected versions of this package are vulnerable to Improper Authorization when a non-admin user tries to list security groups for project_id None
, it will create a default security group for that project and returns an empty list to the caller.
PoC
openstack --os-cloud devstack security group list --project None
openstack --os-cloud devstack-admin security group list
# The API call that is made is essentially `GET /networking/v2.0/security-groups?project_id=None`
References
CVSS Scores
version 3.1