CVE-2019-9735

13.03.2019, 02:29

An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 87%

Vendor	Product	Version
openstack	neutron	𝑥 < 10.0.8
openstack	neutron	11.0.0 ≤ 𝑥 < 11.0.7
openstack	neutron	12.0.0 ≤ 𝑥 < 12.0.6
openstack	neutron	13.0.0 ≤ 𝑥 < 13.0.3
debian	debian_linux	9.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

neutron

bullseye (security)	2:17.2.1-0+deb11u1 fixed
bullseye	2:17.2.1-0+deb11u1 fixed
jessie	not-affected
bookworm	2:21.0.0-7 fixed
sid	2:25.0.0-1 fixed
trixie	2:25.0.0-1 fixed