OSSA-2014-031: Admin-only network attributes may be reset to defaults by non-privileged users

Date:September 29, 2014


  • Neutron: up to 2013.2.4 and 2014.1 versions up to 2014.1.2


Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw.


  • Elena Ezhova from Mirantis (CVE-2014-6414)