Some APIs don't check the owner policy
Bug #1714858 reported by
wangxiyuan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Critical
|
TommyLike | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
For the policy "admin or owner", If the request is not admin, it should compare the owner between "context.project" and "target.project", but actually for many APIs, it doesn't check it at all.
The "volume show" API does the correct way. But others, such as "snapshot show" and "backup show" doesn't.
Both the incorrect APIs check the policy like the way "context.project == context.project" which is wrong.
I guess some other APIs are wrong as well. Feel free to find them out.
summary: |
- some API doesn't check the owner policy + Some APIs doesn't check the owner policy |
Changed in cinder: | |
assignee: | nobody → TommyLike (hu-husheng) |
status: | New → In Progress |
Changed in cinder: | |
importance: | Undecided → Critical |
information type: | Public → Public Security |
To post a comment you must log in.
I see you've switched this from Public to Public Security bug type indicating you believe it describes a vulnerability. Unfortunately, the security implications of this report are unclear (at least to me). Can someone elaborate on the associated risks and a possible exploit scenario or two? Having a more thorough list of which "some other APIs" are guessed to be similarly wrong would also be appreciated.