cbcvebase.
CVE-2024-53916
published 2024-11-25

CVE-2024-53916: In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check…

PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.69%
48.3th percentile
In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianneutron< neutron 2:25.0.0-2 (forky)neutron 2:25.0.0-2 (forky)
openstackneutron>= 0 < 2:25.0.0-22:25.0.0-2
openstackneutron>= 0 < 2:25.0.0-22:25.0.0-2
openstackneutron>= 23.0.0 < 23.2.123.2.1
openstackneutron>= 24.0.0 < 24.0.224.0.2
openstackneutron>= 25.0.0 < 25.0.125.0.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.