Updating any neutron quota for non-existent project works
Bug #1850274 reported by
Abhishek Sharma M
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Confirmed
|
Low
|
Unassigned |
Bug Description
When we try to update a neutron quota for a non-existent project, we get a 200ok response. The non-existent project doesn't get created, but am entry for this project in the quotas table of neutron is made.
PUT network/
Looks like project validation check is missing in the neutron quota update flow.
Due to this flaw, multiple PUT calls on fake project ids might result in filling of quota tables very fast & can be considered a type of DOS attack.
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Low |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.