yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1798832] [NEW] Horizon exposes internal IP addresses via keystone/svc-catalog API

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Oleksiy Petrenko <1798832@xxxxxxxxxxxxxxxxxx>
Date: Fri, 19 Oct 2018 14:42:09 -0000
Reply-to: Bug 1798832 <1798832@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Example url: https://<horizon>/api/keystone/svc-catalog/

Different application responses contain resource links which disclose
internal IP addresses. Threat actors could learn valuable information
and plan further attacks on disclosed systems. Horizon should avoid
including internal IP addresses in application responses

** Affects: horizon
     Importance: Undecided
     Assignee: Oleksiy Petrenko (enacero)
         Status: In Progress

** Changed in: horizon
     Assignee: (unassigned) => Oleksiy Petrenko (enacero)

** Changed in: horizon
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1798832

Title:
  Horizon exposes internal IP addresses via keystone/svc-catalog API

Status in OpenStack Dashboard (Horizon):
  In Progress

Bug description:
  Example url: https://<horizon>/api/keystone/svc-catalog/

  Different application responses contain resource links which disclose
  internal IP addresses. Threat actors could learn valuable information
  and plan further attacks on disclosed systems. Horizon should avoid
  including internal IP addresses in application responses

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1798832/+subscriptions

Follow ups

[Bug 1798832] Re: Horizon exposes internal IP addresses via keystone/svc-catalog API
From: OpenStack Infra, 2018-10-24