Bug 2224630 (CVE-2023-4065) - CVE-2023-4065 Red Hat AMQ Broker Operator: plaintext password in operator log
Summary: CVE-2023-4065 Red Hat AMQ Broker Operator: plaintext password in operator log
Keywords:
Status: NEW
Alias: CVE-2023-4065
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2224626
TreeView+ depends on / blocked
 
Reported: 2023-07-21 17:53 UTC by Chess Hazlett
Modified: 2023-09-26 13:09 UTC (History)
6 users (show)

Fixed In Version: Red Hat AMQ Broker 7.11.1.OPR.2.GA
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. This flaw allows an authenticated local attacker to access information outside of their permissions.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4720 0 None None None 2023-08-23 14:44:15 UTC

Description Chess Hazlett 2023-07-21 17:53:24 UTC
The password defined in ActiveMQArtemisAddress CR is shown in plain text in the Operator Log. An authed attacker could use this flaw to access information outside of their permissions.

Comment 3 errata-xmlrpc 2023-08-23 14:44:14 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:4720 https://access.redhat.com/errata/RHSA-2023:4720


Note You need to log in before you can comment on or make changes to this bug.