oss-sec mailing list archives
CVE-2017-2672: Foreman image password disclosure in audit log
From: Dominic Cleal <dominic () cleal org>
Date: Thu, 6 Apr 2017 14:22:55 +0100
CVE-2017-2672: Foreman compute resource image passwords disclosed via audit log When images for compute resources (e.g. an OpenStack image) are added/registered in Foreman, the password used to log in is recorded in plain text in the audit log. This may allow users with access to view the audit log to access newly provisioned hosts using the stored credentials. Mitigation: remove view_audit_logs permission from users, change image passwords. This issue was reported by Daniel Kimsey. Affects Foreman 1.4 and higher Fix due to be released Patch: https://github.com/theforeman/foreman/commit/02489389f1a4443e1f437b86aa7ce245f1437020 More information: https://theforeman.org/security.html#2017-2672 http://projects.theforeman.org/issues/19169 https://theforeman.org -- Dominic Cleal dominic () cleal org
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2017-2672: Foreman image password disclosure in audit log Dominic Cleal (Apr 06)