[OSSN-0088] Glance leaks namespace existence to unauthorized users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Critical
|
Abhishek Kekane |
Bug Description
╭─ubuntu@
╰─➤ $ source openrc demo demo
╭─ubuntu@
╰─➤ $ openstack token issue
+------
| Field | Value |
+------
| expires | 2021-02-
| id | gAAAAABgN6IKDUK
| project_id | ed4fade2e2cd4be
| user_id | e83b2f50463c495
+------
╭─ubuntu@
╰─➤ $ glance md-namespace-show foo
+------
| Property | Value |
+------
| created_at | 2021-02-
| namespace | foo |
| owner | ed4fade2e2cd4be
| protected | False |
| resource_
| schema | /v2/schemas/
| updated_at | 2021-02-
| visibility | private |
+------
╭─ubuntu@
╰─➤ $ source alicerc
╭─ubuntu@
╰─➤ $ glance md-resource-
HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible.
This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke.
information type: | Public → Private |
information type: | Private → Private Security |
description: | updated |
information type: | Private Security → Public |
summary: |
- Glance leaks namespace existence to unauthorized users + [OSSN-0088] Glance leaks namespace existence to unauthorized users |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in ossn: | |
status: | New → Fix Released |
importance: | Undecided → Critical |
assignee: | nobody → Abhishek Kekane (abhishek-kekane) |
tags: | added: security |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.