[OSSN-0088] Images v2 api metadef vulnerability
Bug #1545702 reported by
Stuart McLaren
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Confirmed
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Critical
|
Abhishek Kekane |
Bug Description
It looks like a regular user can use the metadef api to create an unlimited number of records in the database.
$ glance md-namespace-create ns1 xxx
$ glance md-namespace-create ns2 xxx
.
.
.
$ glance md-tag-create --name tag OS::Software:
$ glance md-tag-create --name tag2 OS::Software:
.
.
.
etc.
information type: | Private Security → Public Security |
information type: | Public Security → Public |
Changed in glance: | |
status: | New → Confirmed |
summary: |
- Images v2 api metadef vulnerability + [OSSN-0088] Images v2 api metadef vulnerability |
Changed in ossn: | |
status: | New → Fix Released |
importance: | Undecided → Critical |
assignee: | nobody → Abhishek Kekane (abhishek-kekane) |
To post a comment you must log in.
Adding Travis.
@Travis
Any idea if there's something (eg quota/limit) which restricts the number of namespaces etc a user can create?
Thanks.