OpenStack Compute (nova)

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1290537
Comment #5

Comment 5 for bug 1290537

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-03-17: Re: RBAC policy not enforced when adding a security group rule using EC2 API

Trying to make sure this is an exploitable vulnerability...

if add_to_instance and remove_from_instance are protected by RBAC, can you actually do any harm using the unprotected functions ? What would be the attack scenario ? Would for example using remove_rules remove securitygroup rules from instances ?