Project

General

Profile

Actions
Copy link

Bug #27485

closed

CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery

Added by Justin Sherrill over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Justin Sherrill
Category:
Repositories
Target version:
Katello 3.12.2
Difficulty:
Triaged:
Yes
Bugzilla link:
1730668
Pull request:
https://github.com/Katello/katello/pull/8244, https://github.com/Katello/katello/pull/8253
Fixed in Releases:
Katello 3.14.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1730668

Description of problem:
Observed in the server running on-
Always

Steps to Reproduce:
1. Login to Satellite WebUI
2. Content> Products> Repo Discovery
3. Select 'Container Images' for 'Repository Type'
4. Select 'Red Hat registry' or 'custom' for 'Registry to Discover'
5. Enter registry username and password
6. click on 'Discover'
7. Check the relevant task on the tasks page and verify the dynflow console, the action Actions::Katello::Repository::Discover shows the input parameters which contains upstream_password in plain text.

Actual results:
Password is visible in plain text, e.g.-
---
url: registry.access.redhat.com
content_type: docker
upstream_username: admin
upstream_password: test

Expected results:
upstream_password should be encrypted

Related issues 1 (0 open1 closed)

Related to Katello - Feature #18253: repo search for docker image repos using the results of docker searchClosedThomas McKay01/26/2017Actions
Actions
Copy link
 #1

Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Justin Sherrill
  • Pull request https://github.com/Katello/katello/pull/8244 added
Actions
Copy link
 #2

Updated by Justin Sherrill over 4 years ago

  • Subject changed from Registry credentials are captured in plain text in dynflow task during repository discovery to Registry credentials are captured in plain text in dynflow task during repository discovery
  • Target version set to Katello 3.12.2
  • Triaged changed from No to Yes
Actions
Copy link
 #3

Updated by The Foreman Bot over 4 years ago

  • Fixed in Releases Katello 3.14.0 added
Actions
Copy link
 #4

Updated by Justin Sherrill over 4 years ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #5

Updated by The Foreman Bot over 4 years ago

  • Pull request https://github.com/Katello/katello/pull/8253 added
Actions
Copy link
 #6

Updated by Tomer Brisker over 4 years ago

  • Subject changed from Registry credentials are captured in plain text in dynflow task during repository discovery to CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery
Actions
Copy link
 #7

Updated by Tomer Brisker over 4 years ago

  • Related to Feature #18253: repo search for docker image repos using the results of docker search added
Actions
Copy link

Also available in: Atom PDF