Comment 2 for bug 1524274
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Unprivileged api user can access host data using instance snapshot | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
In the past, we've considered bugs requiring UUID guessing to be security hardening opportunities rather than reasonably exploitable vulnerabilities. If it's confirmed that you need to guess or otherwise obtain the UUID of another tenant's instance to take advantage of this, then the VMT likely won't issue a security advisory nor request a CVE assignment. Also, the reduced risk implies that we'd be better off working this bug through our normal public process rather than incurring the expense of a private embargo.