aodh is vulnerable to authorization bypass. When an alarm action with trust+http:
scheme is created, it fails to verify that a user providing the trust ID is the trustor or has the same permission as the trustor. In addition, it also fails to verify that the trust is for the same project as the alarm.
www.debian.org/security/2017/dsa-3953
www.securityfocus.com/bid/100455
access.redhat.com/errata/RHSA-2017:3227
access.redhat.com/errata/RHSA-2018:0315
bugs.launchpad.net/ossn/+bug/1649333
github.com/openstack/aodh/commit/cb90d3ad472bba8d648803ca94a9196dff97f0e8
review.openstack.org/#/c/493823/
review.openstack.org/#/c/493824/
review.openstack.org/#/c/493826/
wiki.openstack.org/wiki/OSSN/OSSN-0080