CVE-2015-5240
published 2015-10-27CVE-2015-5240: Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote…
PriorityP417low3.5CVSS 2.0
AVNACMAuSCNIPAN
EPSS
0.96%
57.2th percentile
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | neutron | < neutron 1:7.0.0-1 (bookworm) | neutron 1:7.0.0-1 (bookworm) |
| openstack | neutron | — | — |
| openstack | neutron | — | — |
| openstack | neutron | — | — |
| openstack | neutron | >= 0 < 1:7.0.0-1 | 1:7.0.0-1 |
| openstack | neutron | >= 0 < 1:7.0.0-1 | 1:7.0.0-1 |
| openstack | neutron | >= 0 < 1:7.0.0-1 | 1:7.0.0-1 |
| openstack | neutron | >= 0 < 1:7.0.0-1 | 1:7.0.0-1 |
| openstack | neutron | >= 0 < 7.0.0 | 7.0.0 |
| openstack | neutron | >= 25.0.0 < 25.2.4 | 25.2.4 |
| openstack | neutron | >= 26.0.0 < 26.0.4 | 26.0.4 |
| openstack | neutron | >= 27.0.0 < 27.0.3 | 27.0.3 |
| openstack | neutron | >= 28.0.0 < 28.0.1 | 28.0.1 |
| the_openstack_project | openstack-neutron | — | — |
CVSS provenance
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv3.5LOW
vendor_debian3.5LOW
vendor_redhat3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies
vendor_redhat·2026-06-04·CVSS 3.5
CVE-2026-50266 [LOW] CWE-639 openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies
openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies
In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
A flaw was found in OpenStack Neutron. A project
Red Hat
openstack-neutron: Firewall rules bypass through port update
vendor_redhat·2015-09-08·CVSS 3.5
CVE-2015-5240 [LOW] CWE-362 openstack-neutron: Firewall rules bypass through port update
openstack-neutron: Firewall rules bypass through port update
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
A race-condition flaw leading to ACL bypass was discovered in OpenStack Networking (neutron). An authenticated user could change the owner of a port after it was created but before firewall rules were applied, thus preventing firewall control checks from occurring. All OpenStack Networking deployments that used either the ML2 plug-in or a plug-in that relied on the security groups AMQP API were affected.
Debian
CVE-2015-5240: neutron - Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, ...
vendor_debian·2015·CVSS 3.5
CVE-2015-5240 [LOW] CVE-2015-5240: neutron - Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, ...
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
Scope: local
bookworm: resolved (fixed in 1:7.0.0-1)
bullseye: resolved (fixed in 1:7.0.0-1)
forky: resolved (fixed in 1:7.0.0-1)
sid: resolved (fixed in 1:7.0.0-1)
trixie: resolved (fixed in 1:7.0.0-1)
GHSA
In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("ne
ghsa_unreviewed·2026-06-04·CVSS 3.5
CVE-2026-50266 [LOW] CWE-863 In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("ne
In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
OSV
OpenStack Neutron Race condition vulnerability
osv·2022-05-17
CVE-2015-5240 [LOW] OpenStack Neutron Race condition vulnerability
OpenStack Neutron Race condition vulnerability
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
GHSA
OpenStack Neutron Race condition vulnerability
ghsa·2022-05-17
CVE-2015-5240 [LOW] CWE-362 OpenStack Neutron Race condition vulnerability
OpenStack Neutron Race condition vulnerability
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
OSV
CVE-2015-5240: Race condition in OpenStack Neutron before 2014
osv·2015-10-27·CVSS 3.5
CVE-2015-5240 [LOW] CVE-2015-5240: Race condition in OpenStack Neutron before 2014
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-50266 openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies
bugzilla·2026-06-04·CVSS 3.5
CVE-2026-50266 [LOW] CVE-2026-50266 openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies
CVE-2026-50266 openstack-neutron: OpenStack Neutron: Network spoofing via incorrect port RBAC policies
In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018).
Bugzilla
CVE-2015-5240 openstack-neutron: Firewall rules bypass through port update [fedora-all]
bugzilla·2015-09-09·CVSS 3.5
CVE-2015-5240 [LOW] CVE-2015-5240 openstack-neutron: Firewall rules bypass through port update [fedora-all]
CVE-2015-5240 openstack-neutron: Firewall rules bypass through port update [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2015-5240 openstack-neutron: Firewall rules bypass through port update
bugzilla·2015-08-31·CVSS 3.5
CVE-2015-5240 [LOW] CVE-2015-5240 openstack-neutron: Firewall rules bypass through port update
CVE-2015-5240 openstack-neutron: Firewall rules bypass through port update
It was reported that a vulnerability was found in Neutron. By changing the device owner of an instance's port right after it is created, an authenticated user may prevent application of firewall rules and so avoid IP anti-spoofing controls. All Neutron setups using the ML2 plugin or a plugin that relies on the security groups AMQP API are affected. All Neutron setups using the ML2 plugin or a plugin that relies on the security groups AMQP API are affected.
Vulnerability affects versions through 2014.2.3 and 2015.1 versions through 2015.1.1
Acknowledgements:
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Kevin Benton from Mirantis as the original reporter.
Disc
http://rhn.redhat.com/errata/RHSA-2015-1909.htmlhttp://www.openwall.com/lists/oss-security/2015/09/08/9https://bugs.launchpad.net/neutron/+bug/1489111https://bugzilla.redhat.com/show_bug.cgi?id=1258458https://security.openstack.org/ossa/OSSA-2015-018.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1909.htmlhttp://www.openwall.com/lists/oss-security/2015/09/08/9https://bugs.launchpad.net/neutron/+bug/1489111https://bugzilla.redhat.com/show_bug.cgi?id=1258458https://security.openstack.org/ossa/OSSA-2015-018.html
2015-10-27
Published