Comment 4 for bug 1779205

<Keystone Developer Hat>This looks like a pretty severe data leak. While usually project info is not really "privileged data", this leaks the entire project structure and all associated attributes. I would develop a fix and propose backports.

<VMT Member Hat>I would likely classify this as a Class A [0] bug due to the severity of data leaking. This should be backportable to all active branches. While this is not directly exploitable (there is no escalation/inappropriate actions able to be taken) this exposes knowledge of every project in the cloud where it is clearly is not intended.

Alternatively, this could be a Class D bug since no escalation/inappropriate action can be taken (as of now) even with the entire list of projects.

I'll look for further weighing in from the Keystone-Coresec team.

Finally, if the fixes cannot be generated shortly/quickly the fact that this was accidentally released on a public paste site; it would make sense to make public so that cloud operators could modify their policy.json (or load-balancers/other device doing layer-7 inspection/routing) to block access to OS-FEDERATION auth URLs.

[0] https://security.openstack.org/vmt-process.html#incident-report-taxonomy