Dominic Cleal of Red Hat reports:
Users who are logged in with permissions to view some hosts are able to
preview provisioning templates for any host by specifying its hostname
in the URL, as the specific view_hosts permissions and filters aren't
checked. If the organization or location features are enabled, the user
will still be restricted to their associated orgs/locs.
This can disclose configuration information about the host, including
root password hashes if used in preseed/kickstart templates.
Name: Dominic Cleal (Red Hat)
This issue has been addressed in the following products:
Red Hat Satellite 6.3 for RHEL 7
Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336