Comment 9 for bug 1861485
Revision history for this message
| Goutham Pacha Ravi (gouthamr) wrote Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant | #9 |
Tobias thank you for reporting this bug; and thanks Mohammed for the patch. I reviewed and tested the change and it looks appropriate to me.
To be able to view details on a resource that's owned by another project is one thing, but to manipulate the resource is more severe. I agree the user expectation is that UUIDs aren't harmful by themselves and can be divulged.
Is there a security team guidance that this class of issues does not warrant being a security issue? If not, I am inclined to confirm this as a significant vulnerability for multi-tenant clouds.