In pulp, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
Find out more about CVE-2018-1090 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of pulp as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of (Low|Moderate). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue affects the versions of pulp as shipped with Red Hat Subscription Asset Manager. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS3 Base Score | 5.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | Low |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | Low |
Platform | Errata | Release Date |
---|---|---|
Red Hat Satellite 6.4 for RHEL 7 (pulp) | RHSA-2018:2927 | 2018-10-16 |
Red Hat Satellite 6.4 for RHEL 7 (pulp) | RHSA-2018:2927 | 2018-10-16 |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | pulp | Will not fix |
Red Hat Satellite 6 | pulp | Affected |