Detailed bug description:
Fuel allows you to install plugins have the same version but different versions of the packages (for example: http://paste.openstack.org/raw/Zw0kkYvUPnrQ4V5TxGD0/), but when you try to remove the plug-in returns an error: http://paste.openstack.org/raw/TY7bjKfMDQdzZJR5EorE/ .
Steps to reproduce:
1. Create a new fuel plugin with version=1.0.0 and package_version=2.0.0.
2. Create a new fuel plugin with version=1.0.0 and package_version=4.0.0.
3. Upload to master node and install it.
4. Remove one of this plugins.
Expected results:
Successfully removing one (or all) of this plugins.
Actual result:
Plugins are not removed and an error message is caused by: http://paste.openstack.org/raw/TY7bjKfMDQdzZJR5EorE/
Reproducibility:
On all fuel enviroments.
Workaround:
Remove rpm package from system and mirrors. Remove record allocated with plugin from database.
Impact:
This is a serious bug containing a potential vulnerability through which an attacker can get partial information from the database.
Description of the environment:
Operation system: Linux fuel.domain.tld 3.10.0-229.20.1.el7.x86_64 #1 SMP Tue Nov 3 19:10:07 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Versions of components: 9.0
Shotgun2 report: http://paste.openstack.org/raw/i4KcmfeZH4WBaIjcnnCz/
Reference architecture: -
Network model: -
Related projects installed: fuel-plugins, nailgun
Additional information:
It is very unsafe to show such detailed error messages, probably necessary implement debug mode which will display a detailed error reports.
I don't see how this bug can be exploited by anyone who cannot get root access without this hack. Removing the 'private security' tag.