Bug 1827300 (CVE-2020-10716) - CVE-2020-10716 rubygem-foreman_ansible: "User input" entry from Job Invocation may contain sensitive data
Summary: CVE-2020-10716 rubygem-foreman_ansible: "User input" entry from Job Invocatio...
Keywords:
Status: NEW
Alias: CVE-2020-10716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1814998
Blocks: 1818132
TreeView+ depends on / blocked
 
Reported: 2020-04-23 15:07 UTC by Cedric Buissart
Modified: 2021-02-16 20:13 UTC (History)
12 users (show)

Fixed In Version: tfm-rubygem-foreman_ansible 4.0.3.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Cedric Buissart 2020-04-23 15:07:11 UTC
The "User input" entry from Job Invocation may contain plaintext password or other sensitive data. As a result, anyone who could view the job invocation could see it.

The fix was to restrict the ability to view Job Invocation to users to are entitle to execute it.

Comment 1 Cedric Buissart 2020-04-23 15:07:15 UTC
Acknowledgments:

Name: Lukáš Hellebrandt (Red Hat)

Comment 2 Cedric Buissart 2020-04-23 15:09:27 UTC
This was fixed via the following errata :

https://access.redhat.com/errata/RHSA-2020:1454

Comment 4 Cedric Buissart 2020-04-23 18:21:37 UTC
External References:

https://bugzilla.redhat.com/show_bug.cgi?id=1814998


Note You need to log in before you can comment on or make changes to this bug.