Since it seems like exploiting this situation requires some additional access to begin with, I'm setting the OpenStack VMT's security advisory task to "won't fix" for now and tagging the report as a security hardening opportunity. If new information comes to light, we can of course revisit that choice (which also becomes much easier with the report now public).
Since it seems like exploiting this situation requires some additional access to begin with, I'm setting the OpenStack VMT's security advisory task to "won't fix" for now and tagging the report as a security hardening opportunity. If new information comes to light, we can of course revisit that choice (which also becomes much easier with the report now public).