Fedora Account System
Red Hat Associate
Red Hat Customer
Repository: assisted-migration-agent Priority: High Location: pkg/vmware/auth.go:78 (and 4+ other sites) Description: Every code path that connects to vCenter hardcodes insecure=true: soap.NewClient(u, true) in auth.go:78, vmware.NewVsphereClient(ctx, creds, true) in inspector.go:97 and forecaster.go:114/194, and cfg.Insecure = true in rightsizing.go:258. There is no configuration option to provide a CA bundle or enable verification. Security Impact: govmomi's Login() sends vCenter credentials over these connections Any MITM attacker (ARP spoofing, rogue DHCP, compromised switch) can harvest vCenter administrator credentials Can be chained with migration-planner f003 for cross-tenant credential theft Fix Suggestion: Extend models.Credentials with CACert []byte and Insecure bool (default false) Create pkg/vmware.NewSoapClient() helper that loads CA into TLSClientConfig.RootCAs Replace all five literal-true sites with the helper Add CA-upload field to UI See patches/f002.note.md for architectural details.