Bug 1257154 (CVE-2015-6918) - CVE-2015-6918 salt: git module leaks authentication details into log
Summary: CVE-2015-6918 salt: git module leaks authentication details into log
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-6918
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1257155 1257156
Blocks: 1257160
TreeView+ depends on / blocked
 
Reported: 2015-08-26 11:38 UTC by Adam Mariš
Modified: 2019-09-29 13:36 UTC (History)
5 users (show)

Fixed In Version: salt-2015.5.5
Clone Of:
Environment:
Last Closed: 2015-11-18 06:40:05 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2015-08-26 11:38:29 UTC 
It was found that calling git.clone with https user/pass will leak the authentication details to the log.

Upstream patch:

https://github.com/saltstack/salt/commit/28aa9b105804ff433d8f663b2f9b804f2b75495a
Comment 1 Adam Mariš 2015-08-26 11:39:20 UTC 
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1257155]
Affects: epel-all [bug 1257156]
Comment 2 Siddharth Sharma 2015-11-18 06:39:10 UTC 
Analysis:

Salt git module is affected in Ceph, but git module is not used by ceph  in production environment. Hence Ceph itself is not affected by this vulnerability but shipped salt git module is.
Comment 4 Erik Johnson 2016-01-04 22:14:22 UTC 
Just to add some more info here, the auth info was only being leaked at the debug loglevel. Salt ships with the loglevel set to "warning" by default, so the issue would not present itself unless the loglevel was intentionally changed to debug.

2015.5.8 builds were submitted today as updates for the Fedora and EPEL branches, which includes fixes to redact HTTPS basic auth credentials.
Note You need to log in before you can comment on or make changes to this bug.