Bug 1379909 (CVE-2016-7060)

Summary: CVE-2016-7060 Red Hat QCI: qci exposes password in web UI when they should be masked
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arubin, cchase, jesusr, jmatthew, kdube, security-response-team, smallamp, tcarlin, tsanders
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that several password fields in QCI failed to properly mask the password while it was being entered. An attacker with physical access or the ability to view the screen would be able to see the passwords as they are being entered, allowing them to later access accounts and services protected by those passwords.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-06 19:51:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390813, 1396744    
Bug Blocks: 1379910    

Description Kurt Seifried 2016-09-28 04:18:13 UTC 
The QCI QE Team of Red Hat reports:

In multiple locations within the web interface for QCI the password is shown 
by default when it should be masked by default.
Comment 1 Kurt Seifried 2016-09-28 04:18:19 UTC 
Acknowledgments:

Name: QCI QE Team (Red Hat)
Comment 4 errata-xmlrpc 2017-02-06 20:27:52 UTC 
This issue has been addressed in the following products:

  QCI 1.0

Via RHSA-2017:0256 https://access.redhat.com/errata/RHSA-2017:0256