Bug #27485
CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1730668
Description of problem:
Observed in the server running on-
Always
Steps to Reproduce:
1. Login to Satellite WebUI
2. Content> Products> Repo Discovery
3. Select 'Container Images' for 'Repository Type'
4. Select 'Red Hat registry' or 'custom' for 'Registry to Discover'
5. Enter registry username and password
6. click on 'Discover'
7. Check the relevant task on the tasks page and verify the dynflow console, the action Actions::Katello::Repository::Discover shows the input parameters which contains upstream_password in plain text.
Actual results:
Password is visible in plain text, e.g.-
---
url: registry.access.redhat.com
content_type: docker
upstream_username: admin
upstream_password: test
Expected results:
upstream_password should be encrypted
Related issues
Associated revisions
Refs #27485 - Clear proxy settings for tests
History
#1
Updated by The Foreman Bot over 3 years ago
- Assignee set to Justin Sherrill
- Status changed from New to Ready For Testing
- Pull request https://github.com/Katello/katello/pull/8244 added
#2
Updated by Justin Sherrill over 3 years ago
- Triaged changed from No to Yes
- Target version set to Katello 3.12.2
- Subject changed from Registry credentials are captured in plain text in dynflow task during repository discovery to Registry credentials are captured in plain text in dynflow task during repository discovery
#3
Updated by The Foreman Bot over 3 years ago
- Fixed in Releases Katello 3.14.0 added
#4
Updated by Justin Sherrill over 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset katello|bc9fa1391334a165b22e89a3a3e2e5142b221ddb.
#5
Updated by The Foreman Bot over 3 years ago
- Pull request https://github.com/Katello/katello/pull/8253 added
#6
Updated by Tomer Brisker over 3 years ago
- Subject changed from Registry credentials are captured in plain text in dynflow task during repository discovery to CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery
#7
Updated by Tomer Brisker about 3 years ago
- Related to Feature #18253: repo search for docker image repos using the results of docker search added
Fixes #27485 - encrypt discovery password within task