Описание
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
In pulp, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
Отчет
This issue affects the versions of pulp as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of (Low|Moderate). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of pulp as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Subscription Asset Manager | pulp | Will not fix | ||
| Red Hat Satellite 6.4 for RHEL 7 | ansiblerole-insights-client | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | candlepin | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | createrepo_c | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | foreman | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | foreman-bootloaders-redhat | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | foreman-installer | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | foreman-proxy | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | foreman-selinux | Fixed | RHSA-2018:2927 | 16.10.2018 |
| Red Hat Satellite 6.4 for RHEL 7 | gofer | Fixed | RHSA-2018:2927 | 16.10.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
EPSS
5.5 Medium
CVSS3