The lack of priority on this over the past 6 years seems to indicate it's not a severe enough risk to warrant a widely published advisory even if a fix ever does merge. The VMT and other OpenStack Security SIG members agreed during the 2023.1 cycle that this should be considered class B2 per our report taxonomy: https://security.openstack.org/vmt-process.html#report-taxonomy
The lack of priority on this over the past 6 years seems to indicate it's not a severe enough risk to warrant a widely published advisory even if a fix ever does merge. The VMT and other OpenStack Security SIG members agreed during the 2023.1 cycle that this should be considered class B2 per our report taxonomy: https:/ /security. openstack. org/vmt- process. html#report- taxonomy