CVE-2015-5240

Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.

Published: Oct 27, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-5240
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-362

Affected Software
References

Software	From	Fixed in
openstack / neutron	2015.1.1	2015.1.1.x
openstack / neutron	2014.2.3	2014.2.3.x
openstack / neutron	2015.1.0	2015.1.0.x

http://rhn.redhat.com/errata/RHSA-2015-1909.html
http://www.openwall.com/lists/oss-security/2015/09/08/9
https://bugs.launchpad.net/neutron/+bug/1489111
https://bugzilla.redhat.com/show_bug.cgi?id=1258458
https://security.openstack.org/ossa/OSSA-2015-018.html

Vulnerability Database

289,599

CVE-2015-5240