High severity7.5NVD Advisory· Published Apr 12, 2017· Updated May 13, 2026

CVE-2017-5936

Description

OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nova-lxdPyPI	< 13.1.1	13.1.1

Affected products

OpenStack/Nova Lxd
cpe:2.3:a:openstack:nova-lxd:*:*:*:*:*:*:*:*
Range: <=13.1.0
Canonical/Ubuntu Linux
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Patches

1b76cefb9208

Ensure LXD veth host device is named correctly

https://github.com/openstack/nova-lxdJames PageJan 31, 2017via ghsa

commit

2 files changed · +6 −3

nova_lxd/nova/virt/lxd/config.py+6 −2 modified

@@ -224,11 +224,15 @@ def create_network(self, instance_name, instance, network_info):
 
             for vifaddr in network_info:
                 cfg = self.vif_driver.get_config(instance, vifaddr)
-                network_devices[str(cfg['bridge'])] = \
+                key = str(cfg['bridge'])
+                network_devices[key] = \
                     {'nictype': 'bridged',
                      'hwaddr': str(cfg['mac_address']),
-                     'parent': str(cfg['bridge']),
+                     'parent': key,
                      'type': 'nic'}
+                host_device = self.vif_driver.get_vif_devname(vifaddr)
+                if host_device:
+                    network_devices[key]['host_name'] = host_device
                 return network_devices
         except Exception as ex:
             with excutils.save_and_reraise_exception():

setup.cfg+0 −1 modified

@@ -3,7 +3,6 @@ name = nova-lxd
 summary = native lxd driver for openstack
 description-file =
     README.md
-version = 13.2.0
 author = OpenStack
 author-email = openstack-dev@lists.openstack.org
 home-page = http://www.openstack.org/

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.openwall.com/lists/oss-security/2017/02/09/3nvdMailing ListPatchThird Party AdvisoryWEB
bugs.launchpad.net/nova-lxd/+bug/1656847nvdIssue TrackingPatchThird Party AdvisoryWEB
github.com/openstack/nova-lxd/commit/1b76cefb92081efa1e88cd8f330253f857028bd2nvdIssue TrackingPatchThird Party AdvisoryWEB
www.securityfocus.com/bid/96182nvdThird Party AdvisoryVDB Entry
www.ubuntu.com/usn/USN-3195-1nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-6xc7-4cx8-j3xcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-5936ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/nova-lxd/PYSEC-2017-21.yamlghsaWEB
web.archive.org/web/20200227193915/http://www.securityfocus.com/bid/96182ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000