CVE-2019-14825

A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged users.

Published: Nov 25, 2019
Updated: May 9, 2024
CVE: CVE-2019-14825
GHSA: GHSA-m4wh-848j-9w2r
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 2.7
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-312

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
theforeman / katello	3.0.0.0	3.12.0.9
katello	3.0.0.0	3.12.2

https://access.redhat.com/errata/RHSA-2019:3172
https://access.redhat.com/security/cve/CVE-2019-14825
https://bugzilla.redhat.com/show_bug.cgi?id=1730668
https://bugzilla.redhat.com/show_bug.cgi?id=1739485
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14825
https://github.com/Katello/katello/commit/332484232b66b7907a8104a19ea97eb697b75c79
https://github.com/Katello/katello/commit/4eefa678a905140620ca8b390d48fe318d36e4ea
https://github.com/Katello/katello/commits/3.12.2
https://github.com/Katello/katello/pull/8244
https://github.com/Katello/katello/pull/8253
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2019-14825.yml
https://projects.theforeman.org/issues/27485

Vulnerability Database

289,689

CVE-2019-14825