Comment 13 for bug 1861485

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote : Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant

Hi Jeremy,

Thank you for the clarification and a link to the taxonomy. While it is going to be unlikely that the UUIDs can be guessed; the impact here would be more if the UUIDs can be obtained via other means, such as sniffing the network packets or capturing network data coming from an insecure client. The Share Network UUIDs are there in the URL, and so if an attacker gets access through those means, can manipulate the resource in undesirable ways. We did not design for these IDs to be secret information.

Examples of the Share Network UUIDs in APIs:

Example of Share Network UUIDs in Horizon Dashboard URLs:

  Share Network details page:

Could you please advise if we should still consider this a class C1 security vulnerability?

Regarding LP 1861895, I am unable to reproduce the issue locally. I'll comment on that bug, it's very likely that an insecure default policy is allowing that vulnerability.