{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3277", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T01:07:05.880Z", "dateReserved": "2022-09-22T00:00:00", "datePublished": "2023-03-06T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-03-06T00:00:00"}, "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "affected": [{"vendor": "n/a", "product": "openstack-neutron", "versions": [{"version": "As shipped with Red Hat Openstack 13, 16.1, and 16.2", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129193"}, {"url": "https://bugs.launchpad.net/neutron/+bug/1988026"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400", "cweId": "CWE-400"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:05.880Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129193", "tags": ["x_transferred"]}, {"url": "https://bugs.launchpad.net/neutron/+bug/1988026", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "matchCriteriaId": "97FCCEF5-421A-481C-896F-134DFEA4F788", "versionEndExcluding": "18.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openstack:neutron:*:*:*:*:*:*:*:*", "matchCriteriaId": "50017637-10DA-4C94-BD3D-234DE8982F1F", "versionEndExcluding": "19.5.0", "versionStartIncluding": "19.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."}], "id": "CVE-2022-3277", "lastModified": "2024-11-21T07:19:11.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-06T23:15:10.763", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugs.launchpad.net/neutron/+bug/1988026"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129193"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://bugs.launchpad.net/neutron/+bug/1988026"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129193"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8870", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "openstack-neutron-1:15.2.1-1.20221005123225.40d217c.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:8855", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "openstack-neutron-1:15.3.5-2.20221005184727.c81fb5b.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:0275", "cpe": "cpe:/a:redhat:openstack:17.0::el9", "package": "openstack-neutron-1:18.4.1-0.20221128170741.5258354.el9ost", "product_name": "Red Hat OpenStack Platform 17.0", "release_date": "2023-01-25T00:00:00Z"}], "bugzilla": {"description": "openstack-neutron: unrestricted creation of security groups", "id": "2129193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129193"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-400", "details": ["An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.", "An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service."], "name": "CVE-2022-3277", "package_state": [{"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "openstack-neutron", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2022-08-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3277\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3277\nhttps://bugs.launchpad.net/neutron/+bug/1988026"], "statement": "While this vulnerability triggers the usage of API and Database resources, there is no action taken by OpenStack to enforce these new security group rules. As a result, the impact of this Denial of Service is rather limited. So deployments that have a strong trust relationship with all users (such as a private or company-internal OpenStack service) can consider this flaw as having a Low impact. Additionally, this vulnerability only affects deployments which provide direct access to their application programming interface (API). The command line interface (CLI) has had protections against this kind of misuse since at least Red Hat OpenStack Platform 13.", "threat_severity": "Moderate"}