CVE-2019-9735: OpenStack Neutron's unsupported dport option prevents applying security groups
6.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.82868%
CWE
Published
5/13/2022
Updated
10/3/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
neutron | pip | < 10.0.8 | 10.0.8 |
neutron | pip | >= 11.0.0, < 11.0.7 | 11.0.7 |
neutron | pip | >= 12.0.0, < 12.0.6 | 12.0.6 |
neutron | pip | >= 13.0.0, < 13.0.3 | 13.0.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper validation of protocol-port compatibility when generating iptables rules. The primary issue lies in the iptables driver's rule construction logic (_build_rule), which appended '--dport' without verifying protocol support (e.g., VRRP). The secondary issue is in the security group processing layer (_process_security_group_rule), which did not filter invalid rules before passing them to the firewall driver. Patches addressed these by adding protocol-specific checks and omitting '--dport' where unsupported. The high confidence for _build_rule is based on direct linkage to iptables command generation, while _process_security_group_rule is marked medium due to indirect involvement in validation.