CVE-2019-14825: Registry credentials are captured in plain text in dynflow task during repository discovery
Description of problem:
Observed in the server running on-
Steps to Reproduce:
1. Login to Satellite WebUI
2. Content> Products> Repo Discovery
3. Select 'Container Images' for 'Repository Type'
4. Select 'Red Hat registry' or 'custom' for 'Registry to Discover'
5. Enter registry username and password
6. click on 'Discover'
7. Check the relevant task on the tasks page and verify the dynflow console, the action Actions::Katello::Repository::Discover shows the input parameters which contains upstream_password in plain text.
Password is visible in plain text, e.g.-
upstream_password should be encrypted
#2 Updated by Justin Sherrill almost 2 years ago
- Triaged changed from No to Yes
- Target version set to Katello 3.12.2
- Subject changed from Registry credentials are captured in plain text in dynflow task during repository discovery to Registry credentials are captured in plain text in dynflow task during repository discovery