Comment 14 for bug 1861485
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: User knowing the id of a share network can show, delete, create share on a share network owned by different tenant | #14 |
Ahh, thanks for the clarification. On closer inspection I see that 1861895 was about unintended access via guessed share UUIDs and this report is about share-network UUIDs.
At any rate, it sounds like leveraging this issue would require another vulnerability (in the browser, the connection, the client's system...) or some degree of social engineering, as Manila doesn't disclose these UUIDs to users for other tenants than those with which the resources are associated. It seems like a low enough in risk that you could fix it in public without any embargo, and could warrant an accompanying CVE assignment, though whether you consider this a serious enough breach of Manila's security model to issue an advisory or to just treat it as a security hardening opportunity is up to you.