Comment 11 for bug 1861485
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant | #11 |
"UUID guessing" is the classic example for what the OpenStack VMT considers impractical to exploit (class C1):
https:/
There are lots of security mechanisms we rely on which boil down to assuming an attacker can't guess absurdly long numbers. This particular classification came about because there are, in particular, numerous services in OpenStack which assume UUIDs are treated as secret information. The usual tactic we take with a class C1 report is to switch it to public as a security hardening opportunity, and optionally, if it represents a notable risk, draft an OpenStack Security Note (considered an addendum to the Security Guide) warning users and deployers of this particular risk so they can be more aware of it.