Project

General

Profile

Actions
Copy link

Bug #29465

closed

Invoked Receptor installation job shows plaintext password in user inputs

Added by Marek Hulán about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Marek Hulán
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
1817485
Pull request:
https://github.com/theforeman/foreman_remote_execution/pull/485, https://github.com/theforeman/foreman_remote_execution/pull/486, https://github.com/theforeman/foreman_remote_execution/pull/487
Fixed in Releases:
foreman_remote_execution 2.0.10, foreman_remote_execution 3.1.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1817485

Description of problem:
After invoking a Configure Cloud Connector job, Receptor user credentials are shown in Job Invocation's "User Inputs" part which is accessible to any user with "Remote Execution User" role. This user can login as Receptor user, misusing whatever rights that user has.
Similar to bug 1814998.

Version-Release number of selected component (if applicable):
Sat 6.7 snap 17, NOT regression

How reproducible:
Deterministic

Steps to Reproduce:
1. Hosts -> Job Templates -> run Configure Cloud Connector
2. Select hosts, enter (required) satellite_user and satellite_password
3. As any user that can do it, open the job invocation

Actual results:
You can see satellite_user and satellite_password in plaintext

Expected results:
You shouldn't be able to get these values in any way through Satellite

Additional info:
It's expectable that the passwords are stored somewhere (e.g. database) and they can be accessed there

Related issues 1 (0 open1 closed)

Related to Foreman Remote Execution - Bug #29793: 3.2.0 is not compatible with Foreman 2.0ClosedAdam RuzickaActions
Actions
Copy link
 #1

Updated by The Foreman Bot about 4 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Marek Hulán
  • Pull request https://github.com/theforeman/foreman_remote_execution/pull/485 added
Actions
Copy link
 #2

Updated by The Foreman Bot about 4 years ago

  • Fixed in Releases foreman_remote_execution 3.0.2 added
Actions
Copy link
 #3

Updated by The Foreman Bot about 4 years ago

  • Pull request https://github.com/theforeman/foreman_remote_execution/pull/486 added
Actions
Copy link
 #4

Updated by Marek Hulán about 4 years ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #5

Updated by The Foreman Bot about 4 years ago

  • Pull request https://github.com/theforeman/foreman_remote_execution/pull/487 added
Actions
Copy link
 #6

Updated by Adam Ruzicka about 4 years ago

  • Fixed in Releases foreman_remote_execution 2.0.10, foreman_remote_execution 3.1.0 added
  • Fixed in Releases deleted (foreman_remote_execution 3.0.2)
Actions
Copy link
 #7

Updated by Anonymous almost 4 years ago

  • Related to Bug #29793: 3.2.0 is not compatible with Foreman 2.0 added
Actions
Copy link

Also available in: Atom PDF