Bug 1827300 (CVE-2020-10716) - CVE-2020-10716 rubygem-foreman_ansible: "User input" entry from Job Invocation may contain sensitive data
Summary: CVE-2020-10716 rubygem-foreman_ansible: "User input" entry from Job Invocatio...
Alias: CVE-2020-10716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1814998
Blocks: 1818132
TreeView+ depends on / blocked
Reported: 2020-04-23 15:07 UTC by Cedric Buissart
Modified: 2021-12-14 18:47 UTC (History)
11 users (show)

Fixed In Version: tfm-rubygem-foreman_ansible
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data.
Clone Of:
Last Closed: 2021-10-29 06:48:33 UTC

Attachments (Terms of Use)

Description Cedric Buissart 2020-04-23 15:07:11 UTC
The "User input" entry from Job Invocation may contain plaintext password or other sensitive data. As a result, anyone who could view the job invocation could see it.

The fix was to restrict the ability to view Job Invocation to users to are entitle to execute it.

Comment 1 Cedric Buissart 2020-04-23 15:07:15 UTC

Name: Lukáš Hellebrandt (Red Hat)

Comment 2 Cedric Buissart 2020-04-23 15:09:27 UTC
This was fixed via the following errata :


Comment 4 Cedric Buissart 2020-04-23 18:21:37 UTC
External References:


Note You need to log in before you can comment on or make changes to this bug.