CVE-2024-53916

CVE Database · CVE-2024-53916

CVE-2024-53916

· HIGHDeferred

CVSS v3.1

7.5

EPSS

0.68%

Published

Nov 24, 2024

Modified

Apr 14, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Weaknesses (CWE)

CWE-754

References (5)

https://github.com/openstack/neutron/blob/363ffa6e9e1ab5968f87d45bc2f1cb6394f48b9f/neutron/extensions/tagging.py#L138-L232

https://review.opendev.org/c/openstack/neutron/+/935883

https://review.opendev.org/q/project:openstack/neutron

https://security.openstack.org/ossa/OSSA-2024-005.html

http://www.openwall.com/lists/oss-security/2024/12/03/1

KEV Catalog EPSS Scores Vendors All CVEs