Bug #27485: CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery - Katello - Foreman

Bug #27485

CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery

Added by Justin Sherrill over 3 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Justin Sherrill

Category:

Repositories

Target version:

Katello 3.12.2

Difficulty:

Triaged:

Yes

Bugzilla link:

1730668

Pull request:

https://github.com/Katello/katello/pull/8253, https://github.com/Katello/katello/pull/8244

Fixed in Releases:

Katello 3.14.0

Found in Releases:

Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1730668

Description of problem:
Observed in the server running on-
Always

Steps to Reproduce:
1. Login to Satellite WebUI
2. Content> Products> Repo Discovery
3. Select 'Container Images' for 'Repository Type'
4. Select 'Red Hat registry' or 'custom' for 'Registry to Discover'
5. Enter registry username and password
6. click on 'Discover'
7. Check the relevant task on the tasks page and verify the dynflow console, the action Actions::Katello::Repository::Discover shows the input parameters which contains upstream_password in plain text.

Actual results:
Password is visible in plain text, e.g.-
---
url: registry.access.redhat.com
content_type: docker
upstream_username: admin
upstream_password: test

Expected results:
upstream_password should be encrypted

Related issues

Associated revisions

Revision bc9fa139 (diff)
Added by Justin Sherrill over 3 years ago

Fixes #27485 - encrypt discovery password within task

Revision 33248423 (diff)
Added by Chris Roberts over 3 years ago

Refs #27485 - Clear proxy settings for tests

History

#1 Updated by The Foreman Bot over 3 years ago

Assignee set to Justin Sherrill
Status changed from New to Ready For Testing
Pull request https://github.com/Katello/katello/pull/8244 added

#2 Updated by Justin Sherrill over 3 years ago

Triaged changed from No to Yes
Target version set to Katello 3.12.2
Subject changed from Registry credentials are captured in plain text in dynflow task during repository discovery to Registry credentials are captured in plain text in dynflow task during repository discovery

#3 Updated by The Foreman Bot over 3 years ago

Fixed in Releases Katello 3.14.0 added

#4 Updated by Justin Sherrill over 3 years ago

Status changed from Ready For Testing to Closed

Applied in changeset katello|bc9fa1391334a165b22e89a3a3e2e5142b221ddb.

#5 Updated by The Foreman Bot over 3 years ago

Pull request https://github.com/Katello/katello/pull/8253 added

#6 Updated by Tomer Brisker over 3 years ago

Subject changed from Registry credentials are captured in plain text in dynflow task during repository discovery to CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery

#7 Updated by Tomer Brisker about 3 years ago

Related to Feature #18253: repo search for docker image repos using the results of docker search added

Also available in: Atom PDF

Project

General

Profile

Plugins » Katello

Issues

Custom queries