There are two flavours of Swift store: Single Tenant and Multi Tenant. Typically in the case of Multi Tenant no credentials are stored in the location field. If set_image_location is disabled by policy then there is no credentials leak for Multi Tenant mode. I wonder if something like the following should be considered:
"Only Glance setups which use the Swift store are affected. In the case of a Multi Tenant Swift "
"store where 'set_image_location' is disabled by policy there is no vulnerability. In the case of a Single Tenant "
"Swift store backend an attacker with access to the logs (local shell, log aggregation system access, "
"or accidental leak) may potentially leverage this vulnerability to elevate privileges and gain "
"full direct access to the Glance Swift store backend. In the case of both Single and Multi Tenant Swift "
"store backends where the set_image_location policy is not disabled, an attacker with access "
"to the logs may potentially access any credentials contained in locations which have "
"been explicitly set by any user. "
A very minor nit on the description.
There are two flavours of Swift store: Single Tenant and Multi Tenant. Typically in the case of Multi Tenant no credentials are stored in the location field. If set_image_location is disabled by policy then there is no credentials leak for Multi Tenant mode. I wonder if something like the following should be considered:
"Only Glance setups which use the Swift store are affected. In the case of a Multi Tenant Swift " location' is disabled by policy there is no vulnerability. In the case of a Single Tenant "
"store where 'set_image_
"Swift store backend an attacker with access to the logs (local shell, log aggregation system access, "
"or accidental leak) may potentially leverage this vulnerability to elevate privileges and gain "
"full direct access to the Glance Swift store backend. In the case of both Single and Multi Tenant Swift "
"store backends where the set_image_location policy is not disabled, an attacker with access "
"to the logs may potentially access any credentials contained in locations which have "
"been explicitly set by any user. "