Project

General

Profile

Actions
Copy link

Bug #29465

closed

Invoked Receptor installation job shows plaintext password in user inputs

Added by Marek Hulán almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Marek Hulán
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
1817485
Pull request:
https://github.com/theforeman/foreman_remote_execution/pull/485, https://github.com/theforeman/foreman_remote_execution/pull/486, https://github.com/theforeman/foreman_remote_execution/pull/487
Fixed in Releases:
foreman_remote_execution 2.0.10, foreman_remote_execution 3.1.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1817485

Description of problem:
After invoking a Configure Cloud Connector job, Receptor user credentials are shown in Job Invocation's "User Inputs" part which is accessible to any user with "Remote Execution User" role. This user can login as Receptor user, misusing whatever rights that user has.
Similar to bug 1814998.

Version-Release number of selected component (if applicable):
Sat 6.7 snap 17, NOT regression

How reproducible:
Deterministic

Steps to Reproduce:
1. Hosts -> Job Templates -> run Configure Cloud Connector
2. Select hosts, enter (required) satellite_user and satellite_password
3. As any user that can do it, open the job invocation

Actual results:
You can see satellite_user and satellite_password in plaintext

Expected results:
You shouldn't be able to get these values in any way through Satellite

Additional info:
It's expectable that the passwords are stored somewhere (e.g. database) and they can be accessed there

Related issues 1 (0 open1 closed)

Related to Foreman Remote Execution - Bug #29793: 3.2.0 is not compatible with Foreman 2.0ClosedAdam RuzickaActions
Actions
Copy link

Also available in: Atom PDF