CVE-2022-3277 - OpenCVE

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openstack	Neutron
Redhat	Openstack Openstack Platform

Configuration 1 [-]

OR	cpe:2.3:a:openstack:neutron::::::::
	cpe:2.3:a:openstack:neutron::::::::
	cpe:2.3:a:redhat:openstack_platform:13.0:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*

Package	CPE	Advisory	Released Date
Red Hat OpenStack Platform 16.1
openstack-neutron-1:15.2.1-1.20221005123225.40d217c.el8ost	cpe:/a:redhat:openstack:16.1::el8	RHSA-2022:8870	2022-12-07T00:00:00Z
Red Hat OpenStack Platform 16.2
openstack-neutron-1:15.3.5-2.20221005184727.c81fb5b.el8ost	cpe:/a:redhat:openstack:16.2::el8	RHSA-2022:8855	2022-12-07T00:00:00Z
Red Hat OpenStack Platform 17.0
openstack-neutron-1:18.4.1-0.20221128170741.5258354.el9ost	cpe:/a:redhat:openstack:17.0::el9	RHSA-2023:0275	2023-01-25T00:00:00Z

References

Link	Providers
https://bugs.launchpad.net/neutron/+bug/1988026
https://bugzilla.redhat.com/show_bug.cgi?id=2129193
https://nvd.nist.gov/vuln/detail/CVE-2022-3277
https://www.cve.org/CVERecord?id=CVE-2022-3277

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-03-06T00:00:00

Updated: 2024-08-03T01:07:05.880Z

Reserved: 2022-09-22T00:00:00

Link: CVE-2022-3277

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-03-06T23:15:10.763

Modified: 2023-03-13T18:52:55.567

Link: CVE-2022-3277

Redhat

Severity : Moderate

Publid Date: 2022-08-29T00:00:00Z

Links: CVE-2022-3277 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "matchCriteriaId": "97FCCEF5-421A-481C-896F-134DFEA4F788", "versionEndExcluding": "18.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "matchCriteriaId": "50017637-10DA-4C94-BD3D-234DE8982F1F", "versionEndExcluding": "19.5.0", "versionStartIncluding": "19.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "id": "CVE-2022-3277", "lastModified": "2023-03-13T18:52:55.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-06T23:15:10.763", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugs.launchpad.net/neutron/+bug/1988026"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129193"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8870", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "openstack-neutron-1:15.2.1-1.20221005123225.40d217c.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:8855", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-neutron-1:15.3.5-2.20221005184727.c81fb5b.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:0275", "cpe": "cpe:/a:redhat:openstack:17.0::el9", "package": "openstack-neutron-1:18.4.1-0.20221128170741.5258354.el9ost", "product_name": "Red Hat OpenStack Platform 17.0", "release_date": "2023-01-25T00:00:00Z"}], "bugzilla": {"description": "openstack-neutron: unrestricted creation of security groups", "id": "2129193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129193"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.", "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."], "name": "CVE-2022-3277", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2022-08-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3277\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3277\nhttps://bugs.launchpad.net/neutron/+bug/1988026"], "statement": "While this vulnerability triggers the usage of API and Database resources, there is no action taken by OpenStack to enforce these new security group rules. As a result, the impact of this Denial of Service is rather limited. So deployments that have a strong trust relationship with all users (such as a private or company-internal OpenStack service) can consider this flaw as having a Low impact. Additionally, this vulnerability only affects deployments which provide direct access to their application programming interface (API). The command line interface (CLI) has had protections against this kind of misuse since at least Red Hat OpenStack Platform 13.", "threat_severity": "Moderate"}