[Openstack-security] [Bug 1850273] Re: Updating any cinder quota for non-existent project works
Sean McGinnis
sean.mcginnis at gmail.com
Tue Oct 29 15:51:07 UTC 2019
*** This bug is a duplicate of bug 1307491 ***
https://bugs.launchpad.net/bugs/1307491
** This bug has been marked a duplicate of bug 1307491
quota-update should error out if input provided is non-existent tenant id
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1850273
Title:
Updating any cinder quota for non-existent project works
Status in Cinder:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
When we try to update a cinder quota for a non-existent project, we
get a 200ok response. The non-existent project doesn't get created,
but am entry for this project in the quotas table of cinder is made.
PUT /volume/v3/<proj-id>/os-quota-sets/<non-existent proj-id>
Looks like project validation check is missing in the cinder quota
update flow.
Due to this flaw, multiple PUT calls on fake project ids might result
in filling of quota tables very fast & can be considered a type of DOS
attack.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1850273/+subscriptions
More information about the Openstack-security
mailing list