Cross project access rules and their metadata can be retrieved by ID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Medium
|
Goutham Pacha Ravi |
Bug Description
Description
===========
A non privileged user of a project can use the access rules API introduced in version 2.45 to retrieve access rules, and modify the metadata of these access rules with the ID of the access rules.
Security Impact: In order to act maliciously, a rule ID is required. Rule IDs are UUIDs and are unguessable, and a brute force attack is improbable. Access IDs are available only with reference to a share whose UUID you need to know as well. So per the OpenStack VMT guidelines this bug qualifies as a Class C1 vulnerability. - Not considered a practical vulnerability (but some people might assign a CVE for it), e.g. one depending on UUID guessing
Steps to reproduce
==================
* Create a share as user "demo" belonging to project "demo"
* Create an access rule for the share, record its UUID
* Obtain an API token as user "alt_demo" belonging to project "alt_demo"
* Execute GET /share-
* Execute PUT /share-
Expected result
===============
403 Forbidden
Actual result
=============
200 OK
With access rule information
Environment
===========
1. Affected Branches: Rocky-Victoria, Main/Wallaby
Changed in manila: | |
assignee: | nobody → Goutham Pacha Ravi (gouthamr) |
milestone: | none → wallaby-3 |
importance: | Undecided → Medium |
Changed in manila: | |
status: | New → Fix Released |
tags: | added: rbac |
tags: | added: wallaby-rc-bugsquash |
Fix prosed to master: /review. opendev. org/c/openstack /manila/ +/778143
RBAC tightening for share access rule
https:/