Bug 1959971 (CVE-2021-3551) - CVE-2021-3551 pki-server: Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
Summary: CVE-2021-3551 pki-server: Dogtag installer "pkispawn" logs admin credentials ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3551
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1960143 1960144 1960145 1960146 1960147 1960167 1967401 2184518
Blocks: 1959973 1960325
TreeView+ depends on / blocked
 
Reported: 2021-05-12 18:17 UTC by Pedro Sampaio
Modified: 2023-04-04 21:27 UTC (History)
14 users (show)

Fixed In Version: pki-core 10.10.6
Clone Of:
Environment:
Last Closed: 2021-06-03 11:32:12 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-05-12 18:17:15 UTC
A flaw was found in pki-core 10.10. Older versions are not affected.

When the pkispawn command is run in debug mode, admin credentials are stored in the installation log file, which is world readable.

Comment 5 Cedric Buissart 2021-05-13 12:27:01 UTC
Acknowledgments:

Name: Christian Heimes

Comment 8 Cedric Buissart 2021-06-03 06:03:13 UTC
Created pki-core tracking bugs for this issue:

Affects: fedora-all [bug 1967401]

Comment 9 errata-xmlrpc 2021-06-03 11:06:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2235 https://access.redhat.com/errata/RHSA-2021:2235

Comment 10 Product Security DevOps Team 2021-06-03 11:32:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3551


Note You need to log in before you can comment on or make changes to this bug.