Updating any cinder quota for non-existent project works
Bug #1850273 reported by
Abhishek Sharma M
This bug report is a duplicate of:
Bug #1307491: quota-update should error out if input provided is non-existent tenant id.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
When we try to update a cinder quota for a non-existent project, we get a 200ok response. The non-existent project doesn't get created, but am entry for this project in the quotas table of cinder is made.
PUT /volume/
Looks like project validation check is missing in the cinder quota update flow.
Due to this flaw, multiple PUT calls on fake project ids might result in filling of quota tables very fast & can be considered a type of DOS attack.
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.