CVE-2018-1090

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1090 Issue Tracking Third Party Advisory
https://pulp.plan.io/issues/3521 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2927 Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:pulpproject:pulp:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:-:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:*

Information

Published : 2018-06-18 07:29

Updated : 2019-10-09 16:38


NVD link : CVE-2018-1090

Mitre link : CVE-2018-1090


JSON object : View

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Advertisement

dedicated server usa

Products Affected

pulpproject

  • pulp

redhat

  • satellite

fedoraproject

  • fedora