A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Admin-only network attributes may be reset to defaults by non-privileged users Reporter: Elena Ezhova (Mirantis) Products: Neutron Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2 Description: Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating a network attribute with a default value a non-privileged user may reset admin-only network attributes. This may lead to unexpected behavior with security implications for operators with a custom policy.json, or in some extreme cases network outages resulting in denial of service. All deployments using neutron networking are affected by this flaw. References: https://launchpad.net/bugs/1357379 Thanks in advance, -- Grant Murphy OpenStack Vulnerability Management Team