yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #75406
[Bug 1798832] Re: Horizon exposes internal IP addresses via keystone/svc-catalog API
Reviewed: https://review.openstack.org/611819
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=31718cd1afe9bf115dbe09b0d232a5d9ae13ae61
Submitter: Zuul
Branch: master
commit 31718cd1afe9bf115dbe09b0d232a5d9ae13ae61
Author: Alex Petrenko <ghostdragon2013@xxxxxxxxx>
Date: Fri Oct 19 12:10:38 2018 +0300
Refactor app response for api request '/api/keystone/svc-catalog'
Add filtration for service catalog. Now all endpoints that are not
public will not be seen.
Change-Id: I6db214f849d13c4c71e176f00113e889ff2d2997
Closes-Bug: #1798832
** Changed in: horizon
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1798832
Title:
Horizon exposes internal IP addresses via keystone/svc-catalog API
Status in OpenStack Dashboard (Horizon):
Fix Released
Bug description:
Example url: https://<horizon>/api/keystone/svc-catalog/
Different application responses contain resource links which disclose
internal IP addresses. Threat actors could learn valuable information
and plan further attacks on disclosed systems. Horizon should avoid
including internal IP addresses in application responses
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1798832/+subscriptions
References