Comment 15 for bug 2048114
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: OpenStack Murano Component Information Leakage | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Given this seems to be a serious confirmed vulnerability for any deployment which allows users to upload apps, and it has been spotted by one independent researcher already, it could easily be known to others with more nefarious intentions as well.
The responsible course of action, if there is currently nobody with time to prioritize immediate development and backporting of a fix, is to switch this report to public and that way at least operators of the service can be informed so that they have the opportunity to disable app uploads or or remove Murano from their networks entirely. Leaving this private in hopes one of the few people who are aware of it will find time to eventually work on a patch is, unfortunately, not a viable strategy. Bringing it to the wider community might also help avoid releasing OpenStack 2024.1 with this known vulnerability.