CVE-2014-0056 : The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tena

The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.

Published 2014-05-08 14:29:13

Updated 2023-02-13 00:30:56

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2014-0056

Canonical » Ubuntu Linux » Version: 13.10
cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2012.2.3
cpe:2.3:a:openstack:neutron:2012.2.3:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2012.2.4
cpe:2.3:a:openstack:neutron:2012.2.4:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.2
cpe:2.3:a:openstack:neutron:2013.2:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.2.1
cpe:2.3:a:openstack:neutron:2013.2.1:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.1.1
cpe:2.3:a:openstack:neutron:2013.1.1:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.1.2
cpe:2.3:a:openstack:neutron:2013.1.2:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2012.2.1
cpe:2.3:a:openstack:neutron:2012.2.1:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2012.2.2
cpe:2.3:a:openstack:neutron:2012.2.2:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.1.3
cpe:2.3:a:openstack:neutron:2013.1.3:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.1.4
cpe:2.3:a:openstack:neutron:2013.1.4:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.1.5
cpe:2.3:a:openstack:neutron:2013.1.5:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2012.2
cpe:2.3:a:openstack:neutron:2012.2:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.1
cpe:2.3:a:openstack:neutron:2013.1:*:*:*:*:*:*:*
Matching versions
Openstack » Neutron » Version: 2013.2.2
cpe:2.3:a:openstack:neutron:2013.2.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-0056

EPSS FAQ

0.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-0056

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
2.1	LOW	AV:N/AC:H/Au:S/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-0056

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-0056

http://rhn.redhat.com/errata/RHSA-2014-0516.html

RHSA-2014:0516 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2014/03/27/5

oss-security - [OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)
http://www.ubuntu.com/usn/USN-2194-1

USN-2194-1: OpenStack Neutron vulnerability | Ubuntu security notices
https://bugs.launchpad.net/neutron/+bug/1243327

Bug #1243327 “[OSSA 2014-008] Routers can be cross plugged by ot...” : Bugs : neutron

Jump to

Vulnerability Details : CVE-2014-0056

Products affected by CVE-2014-0056

Exploit prediction scoring system (EPSS) score for CVE-2014-0056

CVSS scores for CVE-2014-0056

CWE ids for CVE-2014-0056

References for CVE-2014-0056