In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1090 | Issue Tracking Third Party Advisory |
https://pulp.plan.io/issues/3521 | Vendor Advisory |
https://access.redhat.com/errata/RHSA-2018:2927 | Third Party Advisory |
Information
Published : 2018-06-18 07:29
Updated : 2019-10-09 16:38
NVD link : CVE-2018-1090
Mitre link : CVE-2018-1090
JSON object : View
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Products Affected
pulpproject
- pulp
redhat
- satellite
fedoraproject
- fedora