Bug 2083851 (CVE-2022-1662) - CVE-2022-1662 convert2rhel: ansible playbook passes credentials to convert2rhel via CLI
Summary: CVE-2022-1662 convert2rhel: ansible playbook passes credentials to convert2rh...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-1662
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2054854 2083859
TreeView+ depends on / blocked
 
Reported: 2022-05-10 19:33 UTC by Todd Cullum
Modified: 2022-07-14 13:34 UTC (History)
2 users (show)

Fixed In Version: convert2rhel 0.26 Vivi
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in convert2rhel, where an Ansible playbook named ansible/run-convert2rhel.yml passes the Red Hat Subscription Manager user password via the CLI to convert2rhel. This flaw allows unauthorized local users to view the password via the process list while convert2rhel is running.
Clone Of:
Environment:
Last Closed: 2022-05-12 06:15:16 UTC
Embargoed:


Attachments (Terms of Use)

Description Todd Cullum 2022-05-10 19:33:05 UTC
In convert2rhel 0.24 and 0.25, there's an ansible playbook named ansible/run-convert2rhel.yml which passes the Red Hat Subscription Manager user password via the CLI to convert2rhel. This could allow unauthorized local users to view the password via the process list while convert2rhel is running. However, this ansible playbook is only an example in the upstream repository and it is not shipped in officially supported versions of convert2rhel.

Commit that introduced the flaw: https://github.com/oamg/convert2rhel/commit/01a6d5596c88118b871f849077f4ffd44ba9e5aa
Upstream patch: https://github.com/oamg/convert2rhel/pull/493/commits/15cace456d06f31e7ddb7cdb443bd2cc8a1614e1

Comment 1 Product Security DevOps Team 2022-05-12 06:15:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1662


Note You need to log in before you can comment on or make changes to this bug.