A flaw was found in Foreman. The issue allows an identified user with "delete compute resource" permission to recover plaintext password or token for the compute resource. Upstream issue: https://projects.theforeman.org/issues/26450 Upstream patch: https://github.com/theforeman/foreman/pull/6621 References: https://bugzilla.redhat.com/show_bug.cgi?id=1692644
Acknowledgments: Name: Vatsal Parekh (Red Hat)
Mitigation: Do not grant the "destroy_compute_resource" permission to users that should not know the password.
This issue has been addressed in the following products: Red Hat Satellite 6.6 for RHEL 7 Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172