Bug 1560035 (CVE-2018-1090) - CVE-2018-1090 pulp: sensitive credentials revealed through the API
Summary: CVE-2018-1090 pulp: sensitive credentials revealed through the API
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1090
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1560080 1564123
Blocks: 1560037
TreeView+ depends on / blocked
 
Reported: 2018-03-23 18:48 UTC by Laura Pardo
Modified: 2021-04-06 17:49 UTC (History)
21 users (show)

Fixed In Version: pulp 2.16.2
Clone Of:
Environment:
Last Closed: 2019-07-12 13:05:12 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Pulp Redmine 3521 0 Normal CLOSED - CURRENTRELEASE last_override_config exposes sensitive info 2018-09-12 17:02:32 UTC
Red Hat Product Errata RHSA-2018:2927 0 None None None 2018-10-16 15:21:47 UTC

Description Laura Pardo 2018-03-23 18:48:29 UTC 
A flaw was found in Pulp. Importers and distributors have a "last_override_config" object which is exposed via the API. In several cases, secrets are passed into override_config when triggering a task. If these config items are given, they're stored in last_override_config and then become readable to all users with read access on the distributor/importer. Since Pulp installations internally have widely shared read-only accounts which allows everyone to freely data mine / build applications on top of our Pulp without administrative hassle, saved credentials might be accidentally revealed through the API to unwanted users.
Comment 1 Kurt Seifried 2018-03-23 20:44:19 UTC 
Created pulp tracking bugs for this issue:

Affects: fedora-all [bug 1560080]
Comment 3 Kurt Seifried 2018-03-23 20:53:23 UTC 
External References:

https://pulp.plan.io/issues/3521
Comment 4 pulp-infra@redhat.com 2018-03-23 21:08:18 UTC 
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.
Comment 5 pulp-infra@redhat.com 2018-03-23 21:08:28 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 9 Andrej Nemec 2018-05-14 15:25:31 UTC 
Statement:

This issue affects the versions of pulp as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of (Low|Moderate). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of pulp as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 pulp-infra@redhat.com 2018-06-01 18:33:06 UTC 
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
Comment 11 pulp-infra@redhat.com 2018-06-01 21:12:03 UTC 
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.
Comment 12 pulp-infra@redhat.com 2018-06-04 15:36:49 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 13 pulp-infra@redhat.com 2018-06-04 16:02:47 UTC 
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.
Comment 14 Bryan Kearney 2018-06-05 13:36:30 UTC 
T
Comment 15 Bryan Kearney 2018-06-05 13:37:01 UTC 
This is fiexed in pulp-2.16.2
Comment 16 pulp-infra@redhat.com 2018-09-12 17:02:33 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 17 errata-xmlrpc 2018-10-16 15:21:31 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
Comment 18 Product Security DevOps Team 2019-07-12 13:05:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1090
Note You need to log in before you can comment on or make changes to this bug.