There is easy reproducer:
1. Source the admin credentials
2. Add a security group rule to someone else project 'default' group
3. Login into Horizon as the user who owns that modified security group
4. Navigate to Network -> Security Groups -> Manage Rules for 'default' group
5. The rules are not visible as the API doesn't return see Bug description
It allows a malicious admin to add backdoor access rules that might be later added to VMs without the knowledge of owner of those VMs.
There is easy reproducer:
1. Source the admin credentials
2. Add a security group rule to someone else project 'default' group
3. Login into Horizon as the user who owns that modified security group
4. Navigate to Network -> Security Groups -> Manage Rules for 'default' group
5. The rules are not visible as the API doesn't return see Bug description
It allows a malicious admin to add backdoor access rules that might be later added to VMs without the knowledge of owner of those VMs.