A flaw was found in pki-core 10.10. Older versions are not affected. When the pkispawn command is run in debug mode, admin credentials are stored in the installation log file, which is world readable.
Acknowledgments: Name: Christian Heimes
Created pki-core tracking bugs for this issue: Affects: fedora-all [bug 1967401]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2235 https://access.redhat.com/errata/RHSA-2021:2235
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3551
Upstream fixes: https://github.com/dogtagpki/pki/commit/0c2f3b84499584bb6029f5ba3988ed3cb081e548 https://github.com/dogtagpki/pki/commit/b01cd8cc7d3e391e69ed2c8161f7e15fa84553e6 https://github.com/dogtagpki/pki/commit/5b09fcaff11d33010469e695ef365a91c91674b5