CVE-2023-3637 - Vulnerability Details

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00214.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Openstack Openstack-optools Openstack Platform

Configuration 1 [-]

OR	cpe:2.3:a:redhat:openstack_platform:13.0:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*

Package	CPE	Advisory	Released Date
Red Hat OpenStack Platform 16.2
openstack-neutron-1:15.3.5-2.20230216175503.el8ost	cpe:/a:redhat:openstack:16.2::el8	RHSA-2023:4283	2023-07-26T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2132	An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.
Github GHSA	GHSA-r3jh-qhgj-gvr8	Denial of service in neutron

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:4283
https://access.redhat.com/security/cve/CVE-2023-3637
https://bugzilla.redhat.com/show_bug.cgi?id=2222270
https://nvd.nist.gov/vuln/detail/CVE-2023-3637
https://www.cve.org/CVERecord?id=CVE-2023-3637

History

Sat, 23 Nov 2024 00:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-07-25T12:47:31.531Z

Updated: 2025-10-09T23:39:38.404Z

Reserved: 2023-07-12T13:34:14.699Z

Link: CVE-2023-3637

Vulnrichment

Updated: 2024-08-02T07:01:57.259Z

NVD

Status : Modified

Published: 2023-07-25T13:15:10.407

Modified: 2024-11-21T08:17:43.517

Link: CVE-2023-3637

Redhat

Severity : Moderate

Publid Date: 2023-07-12T00:00:00Z

Links: CVE-2023-3637 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object