A vulnerability was found in the Openshift API - Assisted Installer application. The Discovery ISO leaks the Image Pull Secret through several log files.
@mkaplan can you share in which logs you see the pull secret details?
Fixed by https://issues.redhat.com/browse/MGMT-7450 https://issues.redhat.com/browse/MGMT-7452
I have downloaded a recent AI install (Assisted-ui-lib version: 1.5.34) I checked all the log folder with DumpsterDriver (cool tool!) and found not issue. python3 DumpsterDiver.py -p /tmp/junk/logs_host_f9fa0a82-7c54-4d58-bcaf-4fb080442cf2 --max-key=200 --min-key 100 --entropy 5 python3 DumpsterDiver.py -p /tmp/junk/logs_host_a206dca4-25dc-4c7c-b28f-198b93f2170d --max-key=200 --min-key 100 --entropy 5 python3 DumpsterDiver.py -p /tmp/junk/logs_host_60f12793-739a-4730-85bd-a50b3cd31e91 --max-key=200 --min-key 100 --entropy 5 python3 DumpsterDiver.py -p /tmp/junk/logs_host_5c77f6fb-bbf4-4b80-9ce7-207255f61071 --max-key=200 --min-key 100 --entropy 5 python3 DumpsterDiver.py -p /tmp/junk/logs_host_08bf447b-afa5-4183-9253-368082726516 --max-key=200 --min-key 100 --entropy 5 python3 DumpsterDiver.py -p /tmp/junk/logs_host_05a36f25-725d-47cf-9dc2-ef7d9201fe4f --max-key=200 --min-key 100 --entropy 5 python3 DumpsterDiver.py -p /tmp/junk/assisted-installer-controller-h2zlf.logs --max-key=200 --min-key 100 --entropy 5 I also used 'grep -r PullSecretToken' and I am not seeing any exposure
*** Bug 1991803 has been marked as a duplicate of this bug. ***
Upstream fixes: https://github.com/openshift/assisted-installer/commit/f3800cfa3d64ce6dcd6f7b73f0578bb99bfdaf7a https://github.com/openshift/assisted-installer/commit/2403dad3795406f2c5d923af0894e07bc8b0bdc4
This issue has been addressed in the following products: OpenShift Assisted Installer Via RHEA-2021:3455 https://access.redhat.com/errata/RHEA-2021:3455