CVE-2019-14825
published 2019-11-25CVE-2019-14825: A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image…
PriorityP411low2.7CVSS 3.1
AVNACLPRHUINSUCLINAN
EPSS
0.65%
46.4th percentile
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| katello | katello | >= 3.0.0.0 < 3.12.2 | 3.12.2 |
| red_hat | katello | — | — |
| theforeman | katello | >= 3.0.0.0 < 3.12.0.9 | 3.12.0.9 |
CVSS provenance
nvdv3.12.7LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
nvdv3.04.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat2.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Katello cleartext password storage issue
ghsa·2022-05-24
CVE-2019-14825 [LOW] CWE-312 Katello cleartext password storage issue
Katello cleartext password storage issue
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
OSV
Katello cleartext password storage issue
osv·2022-05-24
CVE-2019-14825 [LOW] Katello cleartext password storage issue
Katello cleartext password storage issue
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.2. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
Red Hat
katello: registry credentials are captured in plain text during repository discovery
vendor_redhat·2019-08-09·CVSS 2.7
CVE-2019-14825 [LOW] CWE-312 katello: registry credentials are captured in plain text during repository discovery
katello: registry credentials are captured in plain text during repository discovery
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
A cleartext password storage issue was discovered in Katello. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14825 katello: registry credentials are captured in plain text during repository discovery
bugzilla·2019-08-09·CVSS 2.7
CVE-2019-14825 [LOW] CVE-2019-14825 katello: registry credentials are captured in plain text during repository discovery
CVE-2019-14825 katello: registry credentials are captured in plain text during repository discovery
Registry credentials are captured in plain text in dynflow task during repository discovery.
Upstream issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1730668
Discussion:
This issue has been addressed in the following products:
Red Hat Satellite 6.6 for RHEL 7
Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-14825
Bugzilla
CVE-2019-14825 katello: Registry credentials are captured in plain text in dynflow task during repository discovery [rhn_satellite_6-default]
bugzilla·2019-07-17·CVSS 2.7
CVE-2019-14825 [LOW] CVE-2019-14825 katello: Registry credentials are captured in plain text in dynflow task during repository discovery [rhn_satellite_6-default]
CVE-2019-14825 katello: Registry credentials are captured in plain text in dynflow task during repository discovery [rhn_satellite_6-default]
Created redmine issue https://projects.theforeman.org/issues/27485 from this bug
Discussion:
Upstream bug assigned to [email protected]
---
Upstream bug assigned to [email protected]
---
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27485 has been resolved.
---
ON_QA Verified:
@Satellite 6.6.0 snap 16.0
Steps/Observations:
1. Logged in to Satellite WebUI
2. Content> Products> Repo Discovery
3. Selected 'Container Images' for 'Repository Type'
4. Selected 'Red Hat registry'
5. Entered registry username and password
6. click on 'Discover'
7. Checked the relevant task
2019-11-25
Published