Following Brian's post 2 years ago, there didn't seem to be any appetite
for issuing an OSSA on this due to the low risk of exploitation and
limited impact (even though it did eventually get fixed and backported
in the ensuing months). As such, I'm closing the Security Advisory task
as Won't Fix, but if there are any dissenting opinions I'm happy to
reopen and revisit that decision.
** Changed in: ossa
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1988026
Title:
Neutron should not create security group with project==None
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When a non-admin user tries to list security groups for project_id
"None", Neutron creates a default security group for that project and
returns an empty list to the caller.
To reproduce:
openstack --os-cloud devstack security group list --project None
openstack --os-cloud devstack-admin security group list
The API call that is made is essentially
GET /networking/v2.0/security-groups?project_id=None
The expected result would be an authorization failure, since normal
users should not be allowed to list security groups for other
projects.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1988026/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
