The metadata API method to turn off PXE booting for a node is accessible without authentication.
Bug #1015559 reported by
Raphaël Badin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Won't Fix
|
Low
|
Unassigned |
Bug Description
This permits a denial of service attack but it's not clear how we should fix this at the moment. That flaw existed in Cobbler as well. We will first achieve feature parity with Cobbler before addressing that problem.
description: | updated |
Changed in maas: | |
status: | Triaged → Won't Fix |
To post a comment you must log in.
For now, we might rely on the fact that this sort of stuff is most likely to
be on a trusted management network only. At the risk of assuming too much
good about Cobbler, I suspect that's the rationale for its way of doing it.