A flaw was discovered in cumin where it would log broker authentication credentials to the cumin log file. A local user exploiting this flaw could connect to the broker outside of cumin's control and perform certain operations such as scheduling jobs, setting attributes on jobs, as well as holding, releasing or removing jobs. The user could also use this to, depending on the defined ACLs of the broker, manipulate message queues and other privileged operations.
Note that in MRG 2, the broker username and password are stored in configuration files that are not publicly readable (unlike MRG 1.3). As well, in MRG 1.3, cumin operations were not restricted by any authentication, unlike MRG 2 where authentication is required. This makes the exposure of credentials in the MRG 2 log files much more significant than on MRG 1.3.
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2011:1250 https://rhn.redhat.com/errata/RHSA-2011-1250.html
This issue has been addressed in following products: MRG for RHEL-5 v. 2 Via RHSA-2011:1249 https://rhn.redhat.com/errata/RHSA-2011-1249.html