From ${URL}: A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Admin-only network attributes may be reset to defaults by non-privileged users Reporter: Elena Ezhova (Mirantis) Products: Neutron Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 Description: Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw. References: https://launchpad.net/bugs/1357379 Thanks in advance, -- Grant Murphy OpenStack Vulnerability Management Team
CVE-2014-6414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6414): OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
vulnerable versions removed from tree, also, the CVE description is wrong. OpenStack Neutron before 2014.2.4 should be OpenStack Neutron before 2013.2.4
Per previous comments no vulnerable versions in tree.
