yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85354
[Bug 1916926] Re: Glance leaks namespace existence to unauthorized users
** Description changed:
- This issue is being treated as a potential security risk under
- embargo. Please do not make any public mention of embargoed
- (private) security vulnerabilities before their coordinated
- publication by the OpenStack Vulnerability Management Team in the
- form of an official OpenStack Security Advisory. This includes
- discussion of the bug or associated fixes in public forums such as
- mailing lists, code review systems and bug trackers. Please also
- avoid private disclosure to other individuals not already approved
- for access to this information, and provide this same reminder to
- those who are made aware of the issue prior to publication. All
- discussion should remain confined to this private bug report, and
- any proposed fixes should be added to the bug as attachments. This
- embargo shall not extend past 2021-05-26 and will be made
- public by or on that date even if no fix is identified.
-
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-02-25T14:11:38+0000 |
| id | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y |
| project_id | ed4fade2e2cd4be0932ef30357f6d7a1 |
| user_id | e83b2f50463c4959bcc00a96b52b2f86 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-show foo
+----------------------------+----------------------------------+
| Property | Value |
+----------------------------+----------------------------------+
| created_at | 2021-02-25T04:54:10Z |
| namespace | foo |
| owner | ed4fade2e2cd4be0932ef30357f6d7a1 |
| protected | False |
| resource_type_associations | ["bar"] |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T04:54:10Z |
| visibility | private |
+----------------------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name test foo
HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible.
This might not be a security issue since the user needs to know the
namespace name, but opening this in private based on a recommendation
from jokke.
** Information type changed from Private Security to Public
** Summary changed:
- Glance leaks namespace existence to unauthorized users
+ [OSSN-0088] Glance leaks namespace existence to unauthorized users
** Changed in: ossa
Status: Incomplete => Won't Fix
** Also affects: ossn
Importance: Undecided
Status: New
** Changed in: ossn
Status: New => Fix Released
** Changed in: ossn
Importance: Undecided => Critical
** Changed in: ossn
Assignee: (unassigned) => Abhishek Kekane (abhishek-kekane)
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1916926
Title:
[OSSN-0088] Glance leaks namespace existence to unauthorized users
Status in Glance:
New
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source openrc demo demo
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-02-25T14:11:38+0000 |
| id | gAAAAABgN6IKDUKTn9RNudtZD605vA9l9eErCcXDrdxZwfhePYVlAHXzzCdQs6FK6XDwFvuexzfymc0uX7NY5RisEnQmUBl6eLccgBMYE6vSpVWCDTkFuKIuPfLh3xSkJGjZcpG7nfJ_ImU_wCJJFgcclf1zHTHWQ9Y15k-mAE7l3xceqUkOx2Y |
| project_id | ed4fade2e2cd4be0932ef30357f6d7a1 |
| user_id | e83b2f50463c4959bcc00a96b52b2f86 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-namespace-show foo
+----------------------------+----------------------------------+
| Property | Value |
+----------------------------+----------------------------------+
| created_at | 2021-02-25T04:54:10Z |
| namespace | foo |
| owner | ed4fade2e2cd4be0932ef30357f6d7a1 |
| protected | False |
| resource_type_associations | ["bar"] |
| schema | /v2/schemas/metadefs/namespace |
| updated_at | 2021-02-25T04:54:10Z |
| visibility | private |
+----------------------------+----------------------------------+
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ source alicerc
╭─ubuntu@glance-devstack ~/devstack ‹master*›
╰─➤ $ glance md-resource-type-associate --name test foo
HTTP 403 Forbidden: Forbidding request, metadata definition namespace=foo is not visible.
This might not be a security issue since the user needs to know the
namespace name, but opening this in private based on a recommendation
from jokke.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1916926/+subscriptions
References
