CVE-2014-6414
published 2014-10-02CVE-2014-6414: OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via…
PriorityP420medium4CVSS 2.0
AVNACLAuSCNIPAN
EPSS
2.09%
79.3th percentile
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | neutron | < neutron 2014.1.3-1 (bookworm) | neutron 2014.1.3-1 (bookworm) |
| openstack | neutron | >= 0 < 2014.1.3-1 | 2014.1.3-1 |
| openstack | neutron | >= 0 < 2014.1.3-1 | 2014.1.3-1 |
| openstack | neutron | >= 0 < 2014.1.3-1 | 2014.1.3-1 |
| openstack | neutron | >= 0 < 2014.1.3-1 | 2014.1.3-1 |
| openstack | neutron | 2013.2 – 2013.2.4 | — |
| openstack | neutron | >= 2014.1 < 2014.1.2 | 2014.1.2 |
| openstack | neutron | 2014.2 – 2014.2.4 | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv4.0MEDIUM
vendor_debian4.0MEDIUM
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenStack Neutron vulnerability
vendor_ubuntu·2014-11-11
CVE-2014-6414 OpenStack Neutron vulnerability
Title: OpenStack Neutron vulnerability
Summary: OpenStack Neutron would allow unintended access to configuration over the
network.
Elena Ezhova discovered that OpenStack Neutron did not properly perform
access control checks for attributes. A remote authenticated attacker could
exploit this to bypass intended access controls and reset admin-only
attributes to default values.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
vendor_redhat·2014-08-15·CVSS 4.0
CVE-2014-6414 [MEDIUM] CWE-862 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
It was discovered that unprivileged users could in some cases reset admin-only network attributes to their default values. This could lead to unexpected behavior or in some cases result in a denial of service.
Debian
CVE-2014-6414: neutron - OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authe...
vendor_debian·2014·CVSS 4.0
CVE-2014-6414 [MEDIUM] CVE-2014-6414: neutron - OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authe...
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
Scope: local
bookworm: resolved (fixed in 2014.1.3-1)
bullseye: resolved (fixed in 2014.1.3-1)
forky: resolved (fixed in 2014.1.3-1)
sid: resolved (fixed in 2014.1.3-1)
trixie: resolved (fixed in 2014.1.3-1)
GHSA
GHSA-94x8-hxww-p5g2: OpenStack Neutron before 2014
ghsa_unreviewed·2022-05-14
CVE-2014-6414 [MEDIUM] GHSA-94x8-hxww-p5g2: OpenStack Neutron before 2014
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
OSV
CVE-2014-6414: OpenStack Neutron before 2014
osv·2014-10-02·CVSS 4.0
CVE-2014-6414 [MEDIUM] CVE-2014-6414: OpenStack Neutron before 2014
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-6414 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
bugzilla·2014-09-16·CVSS 4.0
CVE-2014-6414 [MEDIUM] CVE-2014-6414 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
CVE-2014-6414 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
The OpenStack project reports:
""
Title: Admin-only network attributes may be reset to defaults by
non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2
Description:
Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating
a network attribute with a default value a non-privileged user may reset
admin-only network attributes. This may lead to unexpected behavior with
security implications for operators with a custom policy.json, or in some
extreme cases network outages resulting in denial of service. All
deployments using neutron networking are affected by this flaw.
""
References
Bugzilla
CVE-2014-6414 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users [fedora-20]
bugzilla·2014-09-16·CVSS 4.0
CVE-2014-6414 [MEDIUM] CVE-2014-6414 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users [fedora-20]
CVE-2014-6414 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users [fedora-20]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
fedora-20
http://rhn.redhat.com/errata/RHSA-2014-1686.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1785.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1786.htmlhttp://secunia.com/advisories/62299http://www.openwall.com/lists/oss-security/2014/09/15/5http://www.ubuntu.com/usn/USN-2408-1https://bugs.launchpad.net/neutron/+bug/1357379http://rhn.redhat.com/errata/RHSA-2014-1686.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1785.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1786.htmlhttp://secunia.com/advisories/62299http://www.openwall.com/lists/oss-security/2014/09/15/5http://www.ubuntu.com/usn/USN-2408-1https://bugs.launchpad.net/neutron/+bug/1357379
2014-10-02
Published