Comment 9 for bug 1861485

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote : Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant

Tobias thank you for reporting this bug; and thanks Mohammed for the patch. I reviewed and tested the change and it looks appropriate to me.

To be able to view details on a resource that's owned by another project is one thing, but to manipulate the resource is more severe. I agree the user expectation is that UUIDs aren't harmful by themselves and can be divulged.

Is there a security team guidance that this class of issues does not warrant being a security issue? If not, I am inclined to confirm this as a significant vulnerability for multi-tenant clouds.