yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1545702] Re: [OSSN-0088] Images v2 api metadef vulnerability

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1545702@xxxxxxxxxxxxxxxxxx>
Date: Tue, 09 Mar 2021 14:56:26 -0000
Reply-to: Bug 1545702 <1545702@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- Images v2 api metadef vulnerability
+ [OSSN-0088] Images v2 api metadef vulnerability

** Also affects: ossn
   Importance: Undecided
       Status: New

** Changed in: ossn
       Status: New => Fix Released

** Changed in: ossn
   Importance: Undecided => Critical

** Changed in: ossn
     Assignee: (unassigned) => Abhishek Kekane (abhishek-kekane)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1545702

Title:
  [OSSN-0088] Images v2 api metadef vulnerability

Status in Glance:
  Confirmed
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  It looks like a regular user can use the metadef api to create an
  unlimited number of records in the database.

   $ glance md-namespace-create ns1 xxx
   $ glance md-namespace-create ns2 xxx
   .
   .
   .

   $ glance md-tag-create --name tag OS::Software::WebServers
   $ glance md-tag-create --name tag2 OS::Software::WebServers
  .
  .
  .

  etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1545702/+subscriptions