Bug #31938
closed
CVE-2021-3413 Azure compute resource secret_key leak to authenticated users
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1928786
authenticated users can acquire credentials of compute resources
- prerequisites
- user with the view_compute_resources permission (e.g. like granted by the "Viewers" role)
- Azure RM compute resource configured
- tested environment
Foreman 2.1 with Azure RM compute resource
- leak
When the `/api/compute_resources/:id/` API endpoint is accessed, it contains the secret_key of the Azure RM user (also the tenant, app_ident etc data that is required to connect, but I think secret_key is the only secret here).
Version-Release number of selected component (if applicable):
2.1 with Azure RM plugin
How reproducible:
100%
Steps to Reproduce:
1. access /api/compute_resources/:id/
2. see credentials in the JSON
Actual results:
JSON contains "secret_key":"THE_KEY"
Expected results:
JSON doesn\'t contain the "secret_key" entry
Additional info:'
Updated by The Foreman Bot over 3 years ago
- Assignee set to Evgeni Golov
- Pull request https://github.com/theforeman/foreman_azure_rm/pull/103 added
Updated by Evgeni Golov over 3 years ago
- Status changed from New to Closed
Applied in changeset foreman_azure_rm|ccdff90e9c2497af3114c686571bdbad91f1a6bd.
Updated by Chris Roberts over 3 years ago
- Subject changed from CVE-2021-3413 Azure compute resource secret_key leak to authenticated users to CVE-2021-3413 Azure compute resource secret_key leak to authenticated users
- Category set to General Plugin Issues
- Target version set to 2.2.0
- Triaged changed from No to Yes