A vulnerability was found in the way Satellite 6 installer logs the calls to Candlepins cpdb. The /var/log/candlepin/cpdb.log log file permissions allows a non privileged user to read credentials information from the log files. Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1692703
Mitigation: Remove world readable permission from /var/log/candlepin/cpdb.log, by executing the following on the console of the machine where Red Hat Satellite is installed, as root: chmod o-r /var/log/candlepin/cpdb.log
Acknowledgments: Name: Evgeni Golov (Red Hat)
This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222