OSSA-2014-008: Routers can be cross plugged by other tenants¶
March 27, 2014
Neutron: 2012.2 versions up to 2013.2.2
Aaron Rosen from VMware reported a vulnerability where Neutron fails to perform proper authorization checks when creating ports. By choosing a device id of a router from a different tenant when creating a port, an authenticated user can access the network of other tenants. This affects deployments of Neutron using plugins relying on the l3-agent.
Aaron Rosen from VMware (CVE-2014-0056)