Project

General

Profile

Bug #31938

CVE-2021-3413 Azure compute resource secret_key leak to authenticated users

Added by Evgeni Golov 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
General Plugin Issues
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1928786

authenticated users can acquire credentials of compute resources

  1. prerequisites

- user with the view_compute_resources permission (e.g. like granted by the "Viewers" role)
- Azure RM compute resource configured

  1. tested environment

Foreman 2.1 with Azure RM compute resource

  1. leak

When the `/api/compute_resources/:id/` API endpoint is accessed, it contains the secret_key of the Azure RM user (also the tenant, app_ident etc data that is required to connect, but I think secret_key is the only secret here).

Version-Release number of selected component (if applicable):
2.1 with Azure RM plugin

How reproducible:
100%

Steps to Reproduce:
1. access /api/compute_resources/:id/
2. see credentials in the JSON

Actual results:
JSON contains "secret_key":"THE_KEY"

Expected results:
JSON doesn\'t contain the "secret_key" entry

Additional info:'

Associated revisions

Revision ccdff90e (diff)
Added by Evgeni Golov about 2 months ago

Fixes #31938 - CVE-2021-3413 Azure compute secret_key leak

History

#1 Updated by The Foreman Bot 2 months ago

  • Assignee set to Evgeni Golov
  • Pull request https://github.com/theforeman/foreman_azure_rm/pull/103 added

#2 Updated by Evgeni Golov about 2 months ago

  • Status changed from New to Closed

#3 Updated by Chris Roberts about 1 month ago

  • Triaged changed from No to Yes
  • Target version set to 2.2.0
  • Category set to General Plugin Issues
  • Subject changed from CVE-2021-3413 Azure compute resource secret_key leak to authenticated users to CVE-2021-3413 Azure compute resource secret_key leak to authenticated users

#4 Updated by Chris Roberts about 1 month ago

  • Fixed in Releases 2.2.0 added

Also available in: Atom PDF