VDB
KO
MEDIUM

GHSA-xv24-hxh9-2hh9

OpenStack Neutron has an Incorrect Authorization issue

Details

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / neutron
Introduced in: 28.0.0 Fixed in: 28.0.1
Fix pip install --upgrade 'neutron>=28.0.1'
PyPI / neutron
Introduced in: 27.0.0 Fixed in: 27.0.3
Fix pip install --upgrade 'neutron>=27.0.3'
PyPI / neutron
Introduced in: 26.0.0 Fixed in: 26.0.4
Fix pip install --upgrade 'neutron>=26.0.4'

References