LOW 2.7

GHSA-m4wh-848j-9w2r

Katello cleartext password storage issue

Details

A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / katello

Introduced in: 3.0.0.0 Fixed in: 3.12.2

Fix bundle update katello

References

https://nvd.nist.gov/vuln/detail/CVE-2019-14825 [ADVISORY]
https://github.com/Katello/katello/pull/8244 [WEB]
https://github.com/Katello/katello/pull/8253 [WEB]
https://github.com/Katello/katello/commit/332484232b66b7907a8104a19ea97eb697b75c79 [WEB]
https://github.com/Katello/katello/commit/4eefa678a905140620ca8b390d48fe318d36e4ea [WEB]
https://access.redhat.com/errata/RHSA-2019:3172 [WEB]
https://access.redhat.com/security/cve/CVE-2019-14825 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1730668 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1739485 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825 [WEB]
https://github.com/Katello/katello [PACKAGE]
https://github.com/Katello/katello/commits/3.12.2 [WEB]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2019-14825.yml [WEB]
https://projects.theforeman.org/issues/27485 [WEB]