{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-3637", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-07-12T13:34:14.699Z", "datePublished": "2023-07-25T12:47:31.531Z", "dateUpdated": "2025-11-20T17:39:47.319Z"}, "containers": {"cna": {"title": "Openstack-neutron: unrestricted creation of security groups (fix for cve-2022-3277)", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "affected", "versions": [{"version": "1:15.3.5-2.20230216175503.el8ost", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openstack:16.2::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens) Operational Tools", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openstack-optools:13"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:16.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:17.0"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:17.1"]}, {"vendor": "Red Hat", "product": "Red Hat OpenStack Platform 18.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openstack-neutron", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:openstack:18.0"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-07-12T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption", "timeline": [{"lang": "en", "time": "2023-07-12T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-07-12T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-20T17:39:47.319Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3637", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T18:48:25.414001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:17:33.214Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.259Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.259Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3637", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T18:48:25.414001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-25T18:48:32.997Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Openstack-neutron: unrestricted creation of security groups (fix for cve-2022-3277)", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:openstack:16.2::el8"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.2", "versions": [{"status": "unaffected", "version": "1:15.3.5-2.20230216175503.el8ost", "lessThan": "*", "versionType": "rpm"}], "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack-optools:13"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 13 (Queens) Operational Tools", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openstack:16.1"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 16.1", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:17.0"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.0", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:17.1"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 17.1", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openstack:18.0"], "vendor": "Red Hat", "product": "Red Hat OpenStack Platform 18.0", "packageName": "openstack-neutron", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-07-12T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-07-12T00:00:00.000Z", "value": "Made public."}], "datePublic": "2023-07-12T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:4283", "name": "RHSA-2023:4283", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3637", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270", "name": "RHBZ#2222270", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-20T17:39:47.319Z"}, "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"}}, "cveMetadata": {"cveId": "CVE-2023-3637", "state": "PUBLISHED", "dateUpdated": "2025-11-20T17:39:47.319Z", "dateReserved": "2023-07-12T13:34:14.699Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-07-25T12:47:31.531Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "id": "CVE-2023-3637", "lastModified": "2024-11-21T08:17:43.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-25T13:15:10.407", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:4283"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-3637"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:4283"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-3637"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4283", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-neutron-1:15.3.5-2.20230216175503.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2023-07-26T00:00:00Z"}], "bugzilla": {"description": "openstack-neutron: unrestricted creation of security groups (fix for CVE-2022-3277)", "id": "2222270", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222270"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.", "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."], "name": "CVE-2023-3637", "package_state": [{"cpe": "cpe:/a:redhat:openstack-optools:13", "fix_state": "Will not fix", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 13 (Queens) Operational Tools"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2023-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3637\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3637"], "statement": "While this vulnerability triggers the usage of API and Database resources, there is no action taken by OpenStack to enforce these new security group rules. As a result, the impact of this Denial of Service is rather limited. So deployments that have a strong trust relationship with all users (such as a private or company-internal OpenStack service) can consider this flaw as having a Low impact. Additionally, this vulnerability only affects deployments which provide direct access to their application programming interface (API). The command line interface (CLI) has had protections against this kind of misuse since at least Red Hat OpenStack Platform 13.\n- The patch associated with previous RHSA-2022:8855 for CVE-2022-3277, specifically for component openstack-neutron, was incorrect. A new CVE has been assigned to track the correct patch for this particular component.", "threat_severity": "Moderate"}

{}