It seems like the task api is admin only by default, so a vulnerable deployment also needs to have changed the task_add policy. Though this is likely a legitimate resource exhaustion denial of service vulnerability.
Can defusedxml works in place to process OVF files ?
It seems like the task api is admin only by default, so a vulnerable deployment also needs to have changed the task_add policy. Though this is likely a legitimate resource exhaustion denial of service vulnerability.
Can defusedxml works in place to process OVF files ?
I wonder if this really needs to be kept private since the issue has been discussed publicly on the #openstack-security channel ( http:// eavesdrop. openstack. org/irclogs/ %23openstack- security/ %23openstack- security. 2016-09- 16.log. html#t2016- 09-16T18: 09:15 ).