© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I don't think this is really a security concern. I don't see a possible data leak from one tenant to another. In fact, it's quite possible the chosen host could be running VMs for both the current tenant and the "spoofed" tenant.
Since this relies on knowing the UUID of the other project's instance, that further limits the concern for me. Even if brute force guessing of UUIDs was done, it would be very difficult to actually match something.
And to be clear, even if the UUID is matched, that just places the volume on that instances host. It does not make that volume available to that instance.
So I think if there is something that can be done to further harden this, that's great. But I wouldn't really consider this to be a security vulnerability.