Bug 1560035 (CVE-2018-1090)
| Summary: | CVE-2018-1090 pulp: sensitive credentials revealed through the API | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | austin, bcourt, bizhang, bkearney, bmbouter, cbillett, daviddavis, dkliban, ggainey, ipanova, jmatthew, jortel, mhrivnak, mmccune, ohadlevy, pcreech, rchan, security-response-team, tomckay, tsanders, ttereshc |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pulp 2.16.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
In pulp, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-12 13:05:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1560080, 1564123 | ||
| Bug Blocks: | 1560037 | ||
|
Description
Laura Pardo
2018-03-23 18:48:29 UTC
Created pulp tracking bugs for this issue: Affects: fedora-all [bug 1560080] External References: https://pulp.plan.io/issues/3521 The Pulp upstream bug status is at NEW. Updating the external tracker on this bug. The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug. Statement: This issue affects the versions of pulp as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of (Low|Moderate). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of pulp as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug. The Pulp upstream bug status is at POST. Updating the external tracker on this bug. The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug. All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST. T This is fiexed in pulp-2.16.2 The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug. This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1090 |