Openstack Neutron vulnerabilities
31 known vulnerabilities affecting openstack/neutron.
Total CVEs
31
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH5MEDIUM20LOW3
Vulnerabilities
Page 2 of 2
CVE-2018-14636P4MEDIUMCVSS 5.3≥ 7.0.0, ≤ 11.0.4≥ 12.0.0, ≤ 12.0.2+1 more2018-09-10
CVE-2018-14636 [MEDIUM] CWE-300 CVE-2018-14636: Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervis
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected
ghsanvdosv
CVE-2014-4615P4MEDIUMCVSS 5.0v2014.1v2014.1.1+1 more2014-08-19
CVE-2014-4615 [MEDIUM] CWE-200 CVE-2014-4615: The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before
The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).
nvdosv
CVE-2013-6419P4MEDIUMCVSS 5.0≥ 0, < 2013.2.1-12014-01-07
CVE-2013-6419 [MEDIUM] CVE-2013-6419: Interaction error in OpenStack Nova and Neutron before Havana 2013
Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properly handled by (1) api/metadata/handler.py in Nova and (2) the neutron-metadata-agent (agent/metadata/agent.py) in Ne
osv
CVE-2013-2255P4MEDIUM≥ 0, < 7.0.0a02022-05-05
CVE-2013-2255 [MEDIUM] CWE-295 OpenStack Keystone and other components vulnerable to Improper Certificate Validation
OpenStack Keystone and other components vulnerable to Improper Certificate Validation
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
ghsaosv
CVE-2014-6414P4MEDIUMCVSS 4.0≥ 2013.2, ≤ 2013.2.4≥ 2014.1, < 2014.1.2+1 more2014-10-02
CVE-2014-6414 [MEDIUM] CWE-264 CVE-2014-6414: OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to se
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
nvdosv
CVE-2014-7821P4MEDIUMCVSS 4.0≥ 2012.2.1, < 2014.1.4≥ 2014.2, < 2014.2.12014-11-24
CVE-2014-7821 [MEDIUM] CWE-20 CVE-2014-7821: OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.
nvdosv
CVE-2014-8153P4MEDIUMCVSS 4.0v2014.2v2014.2.12015-01-15
CVE-2014-8153 [MEDIUM] CWE-20 CVE-2014-8153: The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote aut
The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote authenticated users to cause a denial of service (blocked router update processing) by creating eight routers and assigning an ipv6 non-provider subnet to each.
nvdosv
CVE-2015-5240P4LOWCVSS 3.5v2014.2.3v2015.1.0+5 more2015-10-27
CVE-2015-5240 [LOW] CWE-362 CVE-2015-5240: Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 p
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
ghsanvdosv
CVE-2014-0056P4LOWCVSS 2.1v2012.2v2012.2.1+12 more2014-05-08
CVE-2014-0056 [LOW] CWE-287 CVE-2014-0056: The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
ghsanvdosv
CVE-2014-3555P4MEDIUMCVSS 4.0v2013.2.4v2014.1+2 more2014-07-23
CVE-2014-3555 [MEDIUM] CWE-264 CVE-2014-3555: OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote auth
OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.
ghsanvdosv
CVE-2014-4167P4LOWCVSS 3.5≥ 2011.1, ≤ 2013.2.3v2014.1+1 more2014-07-11
CVE-2014-4167 [LOW] CWE-264 CVE-2014-4167: The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 al
The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.
nvdosv
← Previous2 / 2