CVE-2023-3637 - OpenCVE

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Openstack Openstack-optools Openstack Platform

Configuration 1 [-]

OR	cpe:2.3:a:redhat:openstack_platform:13.0:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*

Package	CPE	Advisory	Released Date
Red Hat OpenStack Platform 16.2
openstack-neutron-1:15.3.5-2.20230216175503.el8ost	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:4283	2023-07-26T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:4283
https://access.redhat.com/security/cve/CVE-2023-3637
https://bugzilla.redhat.com/show_bug.cgi?id=2222270
https://nvd.nist.gov/vuln/detail/CVE-2023-3637
https://www.cve.org/CVERecord?id=CVE-2023-3637

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-07-25T12:47:31.531Z

Updated: 2024-09-16T12:31:05.821Z

Reserved: 2023-07-12T13:34:14.699Z

Link: CVE-2023-3637

Vulnrichment

Updated: 2024-08-02T07:01:57.259Z

NVD

Status : Modified

Published: 2023-07-25T13:15:10.407

Modified: 2023-11-07T04:19:12.810

Link: CVE-2023-3637

Redhat

Severity : Moderate

Publid Date: 2023-07-12T00:00:00Z

Links: CVE-2023-3637 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3637", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-07-12T13:34:14.699Z", "datePublished": "2023-07-25T12:47:31.531Z", "dateUpdated": "2024-09-16T12:31:05.821Z"}, "containers": {"cna": {"title": "Openstack-neutron: unrestricted creation of security groups (fix for cve-2022-3277)", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "affected", "versions": [{"version": "1:15.3.5-2.20230216175503.el8ost", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openstack:16.2::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens) Operational Tools", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack-optools:13"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:16.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:17.0"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:17.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 18.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:18.0"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-07-12T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption", "timeline": [{"lang": "en", "time": "2023-07-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-07-12T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T12:31:05.821Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3637", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T18:48:25.414001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:17:33.214Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.259Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.259Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3637", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T18:48:25.414001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-25T18:48:32.997Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Openstack-neutron: unrestricted creation of security groups (fix for cve-2022-3277)", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:openstack:16.2::el8"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "versions": [{"status": "unaffected", "version": "1:15.3.5-2.20230216175503.el8ost", "lessThan": "*", "versionType": "rpm"}], "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack-optools:13"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens) Operational Tools", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:16.1"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:17.0"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:17.1"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.1", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:18.0"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 18.0", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-07-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-07-12T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-07-12T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T12:31:05.821Z"}, "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"}}, "cveMetadata": {"cveId": "CVE-2023-3637", "state": "PUBLISHED", "dateUpdated": "2024-09-16T12:31:05.821Z", "dateReserved": "2023-07-12T13:34:14.699Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-07-25T12:47:31.531Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "id": "CVE-2023-3637", "lastModified": "2023-11-07T04:19:12.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-07-25T13:15:10.407", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:4283"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-3637"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4283", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-neutron-1:15.3.5-2.20230216175503.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2023-07-26T00:00:00Z"}], "bugzilla": {"description": "openstack-neutron: unrestricted creation of security groups (fix for CVE-2022-3277)", "id": "2222270", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.", "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."], "name": "CVE-2023-3637", "package_state": [{"cpe": "cpe:/a:redhat:openstack-optools:13", "fix_state": "Will not fix", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 13 (Queens) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2023-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3637\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3637"], "statement": "While this vulnerability triggers the usage of API and Database resources, there is no action taken by OpenStack to enforce these new security group rules. As a result, the impact of this Denial of Service is rather limited. So deployments that have a strong trust relationship with all users (such as a private or company-internal OpenStack service) can consider this flaw as having a Low impact. Additionally, this vulnerability only affects deployments which provide direct access to their application programming interface (API). The command line interface (CLI) has had protections against this kind of misuse since at least Red Hat OpenStack Platform 13.\n- The patch associated with previous RHSA-2022:8855 for CVE-2022-3277, specifically for component openstack-neutron, was incorrect. A new CVE has been assigned to track the correct patch for this particular component.", "threat_severity": "Moderate"}