Bug 1560035 (CVE-2018-1090) - CVE-2018-1090 pulp: sensitive credentials revealed through the API
Summary: CVE-2018-1090 pulp: sensitive credentials revealed through the API
Status: POST
Alias: CVE-2018-1090
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180323,repor...
Keywords: Security
Depends On: 1560080 1564123
Blocks: 1560037
TreeView+ depends on / blocked
 
Reported: 2018-03-23 18:48 UTC by Laura Pardo
Modified: 2018-10-16 15:21 UTC (History)
22 users (show)

Fixed In Version: pulp 2.16.2
Doc Type: If docs needed, set a value
Doc Text:
In pulp, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2927 None None None 2018-10-16 15:21 UTC
Pulp Redmine 3521 Normal CLOSED - CURRENTRELEASE last_override_config exposes sensitive info 2018-09-12 17:02 UTC

Description Laura Pardo 2018-03-23 18:48:29 UTC
A flaw was found in Pulp. Importers and distributors have a "last_override_config" object which is exposed via the API. In several cases, secrets are passed into override_config when triggering a task. If these config items are given, they're stored in last_override_config and then become readable to all users with read access on the distributor/importer. Since Pulp installations internally have widely shared read-only accounts which allows everyone to freely data mine / build applications on top of our Pulp without administrative hassle, saved credentials might be accidentally revealed through the API to unwanted users.

Comment 1 Kurt Seifried 2018-03-23 20:44:19 UTC
Created pulp tracking bugs for this issue:

Affects: fedora-all [bug 1560080]

Comment 3 Kurt Seifried 2018-03-23 20:53:23 UTC
External References:

https://pulp.plan.io/issues/3521

Comment 4 pulp-infra@redhat.com 2018-03-23 21:08:18 UTC
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 5 pulp-infra@redhat.com 2018-03-23 21:08:28 UTC
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 9 Andrej Nemec 2018-05-14 15:25:31 UTC
Statement:

This issue affects the versions of pulp as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of (Low|Moderate). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of pulp as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 pulp-infra@redhat.com 2018-06-01 18:33:06 UTC
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 11 pulp-infra@redhat.com 2018-06-01 21:12:03 UTC
The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 12 pulp-infra@redhat.com 2018-06-04 15:36:49 UTC
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 13 pulp-infra@redhat.com 2018-06-04 16:02:47 UTC
All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Comment 14 Bryan Kearney 2018-06-05 13:36:30 UTC
T

Comment 15 Bryan Kearney 2018-06-05 13:37:01 UTC
This is fiexed in pulp-2.16.2

Comment 16 pulp-infra@redhat.com 2018-09-12 17:02:33 UTC
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 17 errata-xmlrpc 2018-10-16 15:21:31 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927


Note You need to log in before you can comment on or make changes to this bug.