Bug #19169

CVE-2017-2672 - audit trail leaks sensitive data for Image events

Added by Daniel Kimsey 6 months ago. Updated 5 months ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Audit Log
Target version:Team Marek Iteration 13
Difficulty: Bugzilla link:1447510
Found in release:1.13.4 Pull request:https://github.com/theforeman/foreman/pull/4438
Story points-
Velocity based estimate-
Release1.15.0Release relationshipAuto

Description

If one looks at an audit record for Image creation, the password used is recorded in plaintext. This must be censored.

The attached image is rendered from a specific audit entry, such as: https://katello.acme.com/audits/1234

Screen_Shot_2017-04-04_at_14_43_36.png (37.8 KB) Preview Daniel Kimsey, 04/04/2017 03:55 PM

Screen_shot_2017-04-04_at_14_43_36

Related issues

Related to Foreman - Refactor #20116: Redact sensitive information from audit logs New 06/27/2017

Associated revisions

Revision 02489389
Added by Marek Hulán 6 months ago

Fixes #19169 - remove image password from audit

History

#1 Updated by Marek Hulán 6 months ago

  • Category changed from Web Interface to Audit Log

#2 Updated by The Foreman Bot 6 months ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Marek Hulán
  • Pull request https://github.com/theforeman/foreman/pull/4438 added

#3 Updated by Dominic Cleal 6 months ago

  • Subject changed from audit trail leaks sensitive data for Image events to CVE-2017-2672 - audit trail leaks sensitive data for Image events

Report forwarded to , CVE-2017-2672 was assigned to identify the vulnerability.

#4 Updated by Marek Hulán 6 months ago

  • Target version set to Team Marek Iteration 13

#5 Updated by Marek Hulán 6 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Daniel Lobato Garcia 6 months ago

  • Release set to 1.15.0

Setting to 1.15, it'll be cherry-picked for RC2.

#7 Updated by Bryan Kearney 5 months ago

  • Bugzilla link set to 1447510

#8 Updated by Tomer Brisker 3 months ago

  • Related to Refactor #20116: Redact sensitive information from audit logs added

Also available in: Atom PDF