SCA: security update for os-vif (GHSA-mcpw-cp35-p3h8)

critical Tenable Cloud Security Plugin ID 433785

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC
learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both
impedes network performance and allows users to possibly view the content of packets for instances
belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are
affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py. (CVE-2019-15753)

See Also

https://github.com/advisories/GHSA-mcpw-cp35-p3h8

Plugin Details

Severity: Critical

ID: 433785

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.06

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2019-15753

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/24/2022

Vulnerability Publication Date: 8/28/2019

Reference Information

CVE: CVE-2019-15753

cwe: CWE-770