Bug 2158702 - Satellite users with access to Virt-who Configurations can read out the 'Hypervisor Password ' from the input field
Summary: Satellite users with access to Virt-who Configurations can read out the 'Hype...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Virt-who Configure Plugin
Version: 6.12.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 6.14.0
Assignee: Lucy Fu
QA Contact: yanpliu
URL: https://projects.theforeman.org/issue...
Whiteboard:
: 1599675 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-06 07:47 UTC by Jayant Bhatia
Modified: 2023-06-30 07:08 UTC (History)
7 users (show)

Fixed In Version: rubygem-foreman_virt_who_configure-0.5.15-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 36460 0 Normal Closed Satellite users with access to Virt-who Configurations can read out the 'Hypervisor Password ' from the input field 2023-06-15 05:21:59 UTC
Github theforeman foreman_virt_who_configure pull 165 0 None Merged Fixes #36460 - Hide password from inspect 2023-06-15 05:21:58 UTC
Red Hat Issue Tracker SAT-17378 0 None None None 2023-04-27 16:08:52 UTC

Description Jayant Bhatia 2023-01-06 07:47:37 UTC 
Description of problem:

Users logged in to Satellite WebUI who have access to the virt-who configuration mask (foreman_virt_who_configure/configs/1/edit) can read out the current password from the  'Hypervisor Password ' input field. 

This is a security incident because all Satellite administrators might not have access to VMware infrastructure and 'Hypervisor Password ' should not be exposed to them.


Version-Release number of selected component (if applicable): All Satellite versions


How reproducible: Always


Steps to Reproduce:

1.Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> create a configuration filling all the details.

2. Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> <Configuration-Name> -> Edit 

3. Place pointer on 'Hypervisor Password' field, right-click on the password field and click on "Inspect".

Actual results: The real password is shown in the value field of the input object.

Expected results: The input field "foreman_virt_who_configure_config[hypervisor_password]" should only contains dummy data.


Additional info: The web frontend of satellite is leaking this password. It would be great if satellite would use the same password input mechanism for virt-who as for the compute resources or the ldap binding accounts

/compute_resources/1-myvmware/edit#
/auth_source_ldaps/5-myldap/edit

If we go to Satellite WebUI -> Adminsiter -> Authentication Sources, you will not get the 'Account Password' in same way.
Comment 3 Brad Buckingham 2023-05-01 13:16:54 UTC 
*** Bug 1599675 has been marked as a duplicate of this bug. ***
Comment 4 Chris Roberts 2023-06-02 13:53:34 UTC 
This has an open PR so keep this one
Comment 5 Bryan Kearney 2023-06-06 04:02:48 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/36460 has been resolved.
Note You need to log in before you can comment on or make changes to this bug.