feedback our modification and performance after modification

Bug #1889512 reported by yuhsiang lin on 2020-07-30
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Undecided
Unassigned
OpenStack Security Advisory
Undecided
Unassigned

Bug Description

Hi, when I re-scan against a current stable branch, I find some High risk about Command Injection.
This risk is in \glance\glance\tests\utils.py so I try to solve this risk.

Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Jeremy Stanley (fungi) wrote :

Given that the problems you've identified are in Glance's unit tests, I don't think this needs to be discussed in private under embargo. This is at worst a cladd B3 report per the OpenStack Vulnerability Management Team's taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

If one of the Glance reviewers can confirm this is safe to discuss in the open, I'm happy to switch the bug state to public immediately.

Brian Rosmaita (brian-rosmaita) wrote :

I agree with Jeremy's assessment, this would be at worst B3. It would be useful if the reporter could outline the attack scenario they see here.

Jeremy Stanley (fungi) wrote :

Thanks for confirming, Brian. I've ended the embargo and switched this to public. No advisory expected, class B3 report.

description: updated
information type: Private Security → Public
tags: removed: private
Changed in ossa:
status: Incomplete → Won't Fix
Erno Kuvaja (jokke) on 2021-02-02
Changed in glance:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers