CVE-2022-3277
Published: 6 March 2023
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.
Notes
Author | Note |
---|---|
mdeslaur | This issue was fixed in (2:20.3.0-0ubuntu1) in jammy-proposed, and was later released to -security. |
Priority
Status
Package | Release | Status |
---|---|---|
neutron Launchpad, Ubuntu, Debian |
bionic |
Released
(2:12.1.1-0ubuntu8.1)
|
trusty |
Ignored
(end of standard support)
|
|
xenial |
Needs triage
|
|
kinetic |
Not vulnerable
(2:21.0.0-0ubuntu1)
|
|
focal |
Released
(2:16.4.2-0ubuntu6.2)
|
|
jammy |
Released
(2:20.3.0-0ubuntu1.1)
|
|
upstream |
Released
(21.0.0.0rc1,20.3.0,19.5.0,18.6.0)
|
|
lunar |
Not vulnerable
(2:22.0.0-0ubuntu1)
|
|
mantic |
Not vulnerable
(2:22.0.0-0ubuntu1)
|
|
Patches: upstream: https://opendev.org/openstack/neutron/commit/01fc2b9195f999df4d810df4ee63f77ecbc81f7e upstream: https://opendev.org/openstack/neutron/commit/fd7fb0e9d8c602380f54975367d935ab69e10c05 upstream: https://opendev.org/openstack/neutron/commit/717e3e09556f1fb9a7a420863746fa785eb6c316 upstream: https://opendev.org/openstack/neutron/commit/733ef4f2d8c2a3734c360d1c1dd3a6fcd600cb8c upstream: https://opendev.org/openstack/neutron/commit/d0e1b54fb1de932b2b30ab4269cf5789632df476 upstream: https://opendev.org/openstack/neutron/commit/cbeee87fa44cd200d4997e02042098460167dce1 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |