GHSA-9773-3fqg-8w25

Suggest an improvement
Source
https://github.com/advisories/GHSA-9773-3fqg-8w25
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9773-3fqg-8w25/GHSA-9773-3fqg-8w25.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9773-3fqg-8w25
Aliases
Published
2022-05-13T01:07:34Z
Modified
2024-10-03T21:33:52.025608Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenStack Neutron's unsupported dport option prevents applying security groups
Details

An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)

References

Affected packages

PyPI / neutron

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.0.8

Affected versions

0.*

0.0

10.*

10.0.5
10.0.6
10.0.7

PyPI / neutron

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.7

Affected versions

11.*

11.0.3
11.0.4
11.0.5
11.0.6

PyPI / neutron

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12.0.0
Fixed
12.0.6

Affected versions

12.*

12.0.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5

PyPI / neutron

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.0.0
Fixed
13.0.3

Affected versions

13.*

13.0.0
13.0.1
13.0.2