yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1988026] Re: Neutron should not create security group with project==None

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1988026@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Oct 2024 14:08:55 -0000
Reply-to: Bug 1988026 <1988026@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Following Brian's post 2 years ago, there didn't seem to be any appetite
for issuing an OSSA on this due to the low risk of exploitation and
limited impact (even though it did eventually get fixed and backported
in the ensuing months). As such, I'm closing the Security Advisory task
as Won't Fix, but if there are any dissenting opinions I'm happy to
reopen and revisit that decision.

** Changed in: ossa
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1988026

Title:
  Neutron should not create security group with project==None

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  When a non-admin user tries to list security groups for project_id
  "None", Neutron creates a default security group for that project and
  returns an empty list to the caller.

  To reproduce:

  openstack --os-cloud devstack security group list --project None
  openstack --os-cloud devstack-admin security group list

  The API call that is made is essentially

  GET /networking/v2.0/security-groups?project_id=None

  The expected result would be an authorization failure, since normal
  users should not be allowed to list security groups for other
  projects.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1988026/+subscriptions

References

[Bug 1988026] [NEW] Neutron should not create security group with project==None
From: Dr. Jens Harbott, 2022-08-29