There are lots of security mechanisms we rely on which boil down to assuming an attacker can't guess absurdly long numbers. This particular classification came about because there are, in particular, numerous services in OpenStack which assume UUIDs are treated as secret information. The usual tactic we take with a class C1 report is to switch it to public as a security hardening opportunity, and optionally, if it represents a notable risk, draft an OpenStack Security Note (considered an addendum to the Security Guide) warning users and deployers of this particular risk so they can be more aware of it.
"UUID guessing" is the classic example for what the OpenStack VMT considers impractical to exploit (class C1):
https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy
There are lots of security mechanisms we rely on which boil down to assuming an attacker can't guess absurdly long numbers. This particular classification came about because there are, in particular, numerous services in OpenStack which assume UUIDs are treated as secret information. The usual tactic we take with a class C1 report is to switch it to public as a security hardening opportunity, and optionally, if it represents a notable risk, draft an OpenStack Security Note (considered an addendum to the Security Guide) warning users and deployers of this particular risk so they can be more aware of it.