Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 6 Apr 2017 14:22:55 +0100
From: Dominic Cleal <>
Subject: CVE-2017-2672: Foreman image password disclosure in audit log

CVE-2017-2672: Foreman compute resource image passwords disclosed via
audit log

When images for compute resources (e.g. an OpenStack image) are
added/registered in Foreman, the password used to log in is recorded in
plain text in the audit log. This may allow users with access to view
the audit log to access newly provisioned hosts using the stored

Mitigation: remove view_audit_logs permission from users, change image

This issue was reported by Daniel Kimsey.

Affects Foreman 1.4 and higher
Fix due to be released


More information:

Dominic Cleal

Download attachment "signature.asc" of type "application/pgp-signature" (210 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.