It was found that the private key for the node certificate was contained in a world-readable temporary file. A local user could possibly use this flaw to gain access to the private key information in the temporary file.
It was reported that pulp-gen-nodes-certificate script uses insecurely created temporary files for storing the generated node certificates, allowing local attackers to leak the keys or overwrite arbitrary file via symlink.
Created attachment 1146475[details]
Proposed patch
I am attaching a revised version of the patch that removes the unneeded umask statement, and credits jcline in the commit message.