GoogleOSV:GHSA-M4WH-848J-9W2RKatello cleartext password storage issue
2.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
21.5%
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
References
access.redhat.com/errata/RHSA-2019:3172
access.redhat.com/security/cve/CVE-2019-14825
bugzilla.redhat.com/show_bug.cgi?id=1730668
bugzilla.redhat.com/show_bug.cgi?id=1739485
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825
github.com/Katello/katello
github.com/Katello/katello/commit/332484232b66b7907a8104a19ea97eb697b75c79
github.com/Katello/katello/commit/4eefa678a905140620ca8b390d48fe318d36e4ea
github.com/Katello/katello/commits/3.12.2
github.com/Katello/katello/pull/8244
github.com/Katello/katello/pull/8253
github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2019-14825.yml
nvd.nist.gov/vuln/detail/CVE-2019-14825
projects.theforeman.org/issues/27485
Related
2.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
21.5%