OSSA-2014-008: Routers can be cross plugged by other tenants

Date:March 27, 2014


  • Neutron: 2012.2 versions up to 2013.2.2


Aaron Rosen from VMware reported a vulnerability where Neutron fails to perform proper authorization checks when creating ports. By choosing a device id of a router from a different tenant when creating a port, an authenticated user can access the network of other tenants. This affects deployments of Neutron using plugins relying on the l3-agent.


  • Aaron Rosen from VMware (CVE-2014-0056)