Comment 14 for bug 1988026

So far I agree with a moderate impact assessment. Here is a recap as I understand the situation:
Any non-admin user can cause new security group to be created by listing the security groups of an invalid project_id. This new security group includes 4 default rules which will consume memory and CPU cycles. This action can be repeated an ulimited number of times as there is no quota limit, which could eventually cause a denial of service.

Would it be appropriate for Red Hat to assign this a CVE?