A user that has the UUID of a share-network can show information, create shares or delete the share-network. The API does not validate the user/project on commands. The UUIDs are not intended to be secret, however, there are currently no protections to enable this safely.
Acknowledgments: Name: the OpenStack Manila project
Mitigation: There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Created attachment 1667633 [details] Pike patch
Created attachment 1667634 [details] Queens patch
Created attachment 1667635 [details] Ussuri patch
Upstream bug: https://bugs.launchpad.net/manila/+bug/1861485
Upstream fixes: train: https://review.opendev.org/712163 stein: https://review.opendev.org/712164 rocky: https://review.opendev.org/712165 queens: https://review.opendev.org/712166
Created openstack-manila tracking bugs for this issue: Affects: openstack-rdo [bug 1812356]
References: https://bugs.launchpad.net/manila/+bug/1861485
External References: https://security.openstack.org/ossa/OSSA-2020-002.html
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:1326 https://access.redhat.com/errata/RHSA-2020:1326
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9543
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.0 (Train) Via RHSA-2020:2165 https://access.redhat.com/errata/RHSA-2020:2165
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:2729 https://access.redhat.com/errata/RHSA-2020:2729