No limit in length of "user description " parameter results in DOS attack
Bug #2048111 reported by
Jeremy Stanley
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned | ||
| OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned | ||
| OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Members of the VMT received the following report by E-mail:
There is also no limit on the length of user descriptions in another area. However, only administrators can modify this area, but I still recommend imposing a length limit
Revision history for this message
| Jeremy Stanley (fungi) wrote | #1 |
| Changed in ossa: | |
| status: | New → Incomplete |
| affects: | horizon → keystone |
Revision history for this message
| Jeremy Stanley (fungi) wrote | #2 |
Revision history for this message
| Jeremy Stanley (fungi) wrote | #3 |
Revision history for this message
| David Wilde (dave-wilde) wrote | #4 |
Revision history for this message
| Jeremy Stanley (fungi) wrote | #5 |
| description: | updated |
| Changed in ossa: | |
| status: | Incomplete → Won't Fix |
| information type: | Private Security → Public |
| tags: | added: security |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.
Based on the reporter's assertion that this condition is only exploitable by cloud administrators, I don't think an embargo is warranted and this can just be treated as a hardening opportunity, class D in our report taxonomy: https:/
I included both Horizon and Keystone as it's not clear to me where the mitigation would occur.