yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85259
[Bug 1916926] [NEW] Glance leaks namespace existence to unauthorized users
*** This bug is a security vulnerability ***
Private security bug reported:
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-02-25T14:11:38+0000 |
| id | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y |
| project_id | ed4fade2e2cd4be0932ef30357f6d7a1 |
| user_id | e83b2f50463c4959bcc00a96b52b2f86 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-show foo
+----------------------------+----------------------------------+
| Property | Value |
+----------------------------+----------------------------------+
| created_at | 2021-02-25T04:54:10Z |
| namespace | foo |
| owner | ed4fade2e2cd4be0932ef30357f6d7a1 |
| protected | False |
| resource_type_associations | ["bar"] |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T04:54:10Z |
| visibility | private |
+----------------------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name test foo
HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible.
This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke.
** Affects: glance
Importance: Undecided
Status: New
** Information type changed from Public to Private
** Information type changed from Private to Private Security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1916926
Title:
Glance leaks namespace existence to unauthorized users
Status in Glance:
New
Bug description:
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-02-25T14:11:38+0000 |
| id | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y |
| project_id | ed4fade2e2cd4be0932ef30357f6d7a1 |
| user_id | e83b2f50463c4959bcc00a96b52b2f86 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-show foo
+----------------------------+----------------------------------+
| Property | Value |
+----------------------------+----------------------------------+
| created_at | 2021-02-25T04:54:10Z |
| namespace | foo |
| owner | ed4fade2e2cd4be0932ef30357f6d7a1 |
| protected | False |
| resource_type_associations | ["bar"] |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T04:54:10Z |
| visibility | private |
+----------------------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name test foo
HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible.
This might not be a security issue since the user needs to know the namespace name, but opening this in private based on a recommendation from jokke.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1916926/+subscriptions
Follow ups
