yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1798832] Re: Horizon exposes internal IP addresses via keystone/svc-catalog API

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1798832@xxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Oct 2018 08:28:37 -0000
Reply-to: Bug 1798832 <1798832@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/611819
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=31718cd1afe9bf115dbe09b0d232a5d9ae13ae61
Submitter: Zuul
Branch:    master

commit 31718cd1afe9bf115dbe09b0d232a5d9ae13ae61
Author: Alex Petrenko <ghostdragon2013@xxxxxxxxx>
Date:   Fri Oct 19 12:10:38 2018 +0300

    Refactor app response for api request '/api/keystone/svc-catalog'
    
    Add filtration for service catalog. Now all endpoints that are not
    public will not be seen.
    
    Change-Id: I6db214f849d13c4c71e176f00113e889ff2d2997
    Closes-Bug: #1798832


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1798832

Title:
  Horizon exposes internal IP addresses via keystone/svc-catalog API

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  Example url: https://<horizon>/api/keystone/svc-catalog/

  Different application responses contain resource links which disclose
  internal IP addresses. Threat actors could learn valuable information
  and plan further attacks on disclosed systems. Horizon should avoid
  including internal IP addresses in application responses

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1798832/+subscriptions

References

[Bug 1798832] [NEW] Horizon exposes internal IP addresses via keystone/svc-catalog API
From: Oleksiy Petrenko, 2018-10-19