yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1545702] Re: Images v2 api metadef vulnerability

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1545702@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Feb 2021 20:46:54 -0000
Reply-to: Bug 1545702 <1545702@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This report came up in another discussion today, so for clarity I just
wanted to state that the VMT is considering it a security hardening
opportunity for now. If this is an avenue for filling up a reasonably
provisioned database before an operator's typical database resource
monitoring solution would alert them to the situation so they could
disable the user's accounts, then we could reconsider issuing an
advisory about it once fixed.

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Won't Fix

** Tags added: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1545702

Title:
  Images v2 api metadef vulnerability

Status in Glance:
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  It looks like a regular user can use the metadef api to create an
  unlimited number of records in the database.

   $ glance md-namespace-create ns1 xxx
   $ glance md-namespace-create ns2 xxx
   .
   .
   .

   $ glance md-tag-create --name tag OS::Software::WebServers
   $ glance md-tag-create --name tag2 OS::Software::WebServers
  .
  .
  .

  etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1545702/+subscriptions