Launchpad CVE tracker

CVE 2014-0056

The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.

Related bugs and status

CVE-2014-0056 (Candidate) is related to these bugs:

Bug #1243327: [OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)

		In	Importance	Status
1243327	[OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)	neutron	Critical	Fix Released
1243327	[OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)	OpenStack Security Advisory	High	Fix Released
1243327	[OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)	neutron havana	Critical	Fix Released

Bug #1337801: Port's device_owner field should not be editable

Summary				In	Importance	Status
	1337801	Port's device_owner field should not be editable		neutron	Medium	Invalid

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2014-0056

References