Comment 2 for bug 1824248

Robin Cernin (rcernin) wrote :

There is easy reproducer:

1. Source the admin credentials

2. Add a security group rule to someone else project 'default' group

3. Login into Horizon as the user who owns that modified security group

4. Navigate to Network -> Security Groups -> Manage Rules for 'default' group

5. The rules are not visible as the API doesn't return see Bug description

It allows a malicious admin to add backdoor access rules that might be later added to VMs without the knowledge of owner of those VMs.