Bug #19169
CVE-2017-2672 - audit trail leaks sensitive data for Image events
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
If one looks at an audit record for Image creation, the password used is recorded in plaintext. This must be censored.
The attached image is rendered from a specific audit entry, such as: https://katello.acme.com/audits/1234
Related issues
Associated revisions
Fixes #19169 - remove image password from audit
History
#1
Updated by Marek Hulán almost 6 years ago
- Category changed from Web Interface to Audit Log
#2
Updated by The Foreman Bot almost 6 years ago
- Status changed from New to Ready For Testing
- Assignee set to Marek Hulán
- Pull request https://github.com/theforeman/foreman/pull/4438 added
#3
Updated by Dominic Cleal almost 6 years ago
- Subject changed from audit trail leaks sensitive data for Image events to CVE-2017-2672 - audit trail leaks sensitive data for Image events
Report forwarded to foreman-security@googlegroups.com, CVE-2017-2672 was assigned to identify the vulnerability.
#4
Updated by Marek Hulán almost 6 years ago
- Target version set to 1.13.0
#5
Updated by Marek Hulán almost 6 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 02489389f1a4443e1f437b86aa7ce245f1437020.
#6
Updated by Daniel Lobato Garcia almost 6 years ago
- Legacy Backlogs Release (now unused) set to 209
Setting to 1.15, it'll be cherry-picked for RC2.
#7
Updated by Bryan Kearney almost 6 years ago
- Bugzilla link set to 1447510
#8
Updated by Tomer Brisker over 5 years ago
- Related to Refactor #20116: Redact sensitive information from audit logs added
#9
Updated by Anonymous over 5 years ago
- Related to Refactor #21920: Refactor password auditing added
Fixes #19169 - remove image password from audit