An access flaw was found in heketi, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file.
It was discovered that sensitive information could be disclosed through world readable file heketi.json containing private keys in heketi 5.x and previous.
Name: Siddharth Sharma (Red Hat)
In reply to comment 0:
Does this also mean that the passwords are not being stored properly (hashed, or at least encrypted) as well?
Created heketi tracking bugs for this issue:
Affects: epel-all [bug 1527161]
Affects: fedora-all [bug 1527160]
This issue has been addressed in the following products:
Red Hat Gluster Storage 3.3 for RHEL 7
Via RHSA-2017:3481 https://access.redhat.com/errata/RHSA-2017:3481
very good post.