Description
A flaw was found in some ManageIQ providers where the logging mechanism is configured incorrectly and will log Authorization headers in plaintext.
Mitigation
We recommend upgrading to a secured released version. If upgrade is not possible, this flaw can be mitigated with one of the following:
- Users can workaround this issue by changing the log level to "warn" for the ansible_tower, aws, and lenovo logs, and to "error" for the autosde log. This can be done by go to Settings -> Application Settings -> Advanced, searching for the section named
:log, and then finding the sub-key for the log in question.
- Alternatively, apply the following patches:
Acknowledgements
ManageIQ would like to thank Sigbjorn Lie for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2023-46175
Details
Fixed in quinteros-2
sigbjornaib Finder
agrare Remediation developer
Description
A flaw was found in some ManageIQ providers where the logging mechanism is configured incorrectly and will log Authorization headers in plaintext.
Mitigation
We recommend upgrading to a secured released version. If upgrade is not possible, this flaw can be mitigated with one of the following:
:log, and then finding the sub-key for the log in question.Acknowledgements
ManageIQ would like to thank Sigbjorn Lie for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2023-46175
Details
Fixed in quinteros-2