While openstack/manila is not a "vulnerability:managed" deliverable, if it were the OpenStack VMT would switch this bug to Public (not Public Security) and mark any security advisory task "won't fix" because per comment #1 exploiting this requires guessing or having some other means of obtaining random UUIDs for other tenants' resources. This sort of bug falls under report class C1 in our taxonomy: "Not considered a practical vulnerability (but some people might assign a CVE for it), e.g. one depending on UUID guessing" https://security.openstack.org/vmt-process.html#incident-report-taxonomy
Adding the "security" bug tag after making the bug Public will cause the security mailing list to get notified too, in case the Security Team want to draft a future note to document this risk.
While openstack/manila is not a "vulnerability: managed" deliverable, if it were the OpenStack VMT would switch this bug to Public (not Public Security) and mark any security advisory task "won't fix" because per comment #1 exploiting this requires guessing or having some other means of obtaining random UUIDs for other tenants' resources. This sort of bug falls under report class C1 in our taxonomy: "Not considered a practical vulnerability (but some people might assign a CVE for it), e.g. one depending on UUID guessing" https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy
Adding the "security" bug tag after making the bug Public will cause the security mailing list to get notified too, in case the Security Team want to draft a future note to document this risk.