[Openstack-security] [Bug 1850274] Re: Updating any neutron quota for non-existent project works
Slawek Kaplonski
1850274 at bugs.launchpad.net
Thu Oct 31 12:59:18 UTC 2019
** Changed in: neutron
Status: New => Confirmed
** Changed in: neutron
Importance: Undecided => Low
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1850274
Title:
Updating any neutron quota for non-existent project works
Status in neutron:
Confirmed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When we try to update a neutron quota for a non-existent project, we
get a 200ok response. The non-existent project doesn't get created,
but am entry for this project in the quotas table of neutron is made.
PUT network/v2.0/quotas/<non-existent proj-id>
Looks like project validation check is missing in the neutron quota
update flow.
Due to this flaw, multiple PUT calls on fake project ids might result
in filling of quota tables very fast & can be considered a type of DOS
attack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1850274/+subscriptions
More information about the Openstack-security
mailing list