Project

General

Profile

Actions

Bug #36460

closed

Satellite users with access to Virt-who Configurations can read out the 'Hypervisor Password ' from the input field

Added by Lucy Fu over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

Clone of https://bugzilla.redhat.com/show_bug.cgi?id=2158702

Description of problem:

Users logged in to Satellite WebUI who have access to the virt-who configuration mask (foreman_virt_who_configure/configs/1/edit) can read out the current password from the 'Hypervisor Password ' input field.

This is a security incident because all Satellite administrators might not have access to VMware infrastructure and 'Hypervisor Password ' should not be exposed to them.

Version-Release number of selected component (if applicable): All Satellite versions

How reproducible: Always

Steps to Reproduce:

1.Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> create a configuration filling all the details.

2. Navigate to Satellite WebUI -> infrastructure -> Virt-who configurations -> <Configuration-Name> -> Edit

3. Place pointer on 'Hypervisor Password' field, right-click on the password field and click on "Inspect".

Actual results: The real password is shown in the value field of the input object.

Expected results: The input field "foreman_virt_who_configure_config[hypervisor_password]" should only contains dummy data.

Additional info: The web frontend of satellite is leaking this password. It would be great if satellite would use the same password input mechanism for virt-who as for the compute resources or the ldap binding accounts

/compute_resources/1-myvmware/edit#
/auth_source_ldaps/5-myldap/edit

If we go to Satellite WebUI -> Adminsiter -> Authentication Sources, you will not get the 'Account Password' in same way.

Actions

Also available in: Atom PDF