pulp-qpid-ssl-cfg echoes the NSS DB password
Sander Bos reported that the pulp-qpid-ssl-cfg script echoes the NSS DB password. The password likely has little use for the admin, so there is no need for it to be printed. Echoing it will allow an observer to view the password on an admin's screen. However, since the script's shebang invokes bash and echo is a bash built-in, this password does not end up in the process table.
This password is stored in a file for qpidd to use. I recommend printing the path to that file for the user, rather than telling the password directly. If the user really wants to know the password, they can retrieve it that way.
I spoke with Red Hat Product Security, and we agreed that this was not a CVE but rather a silly behavior and so we should fix it as security hardening, but not as a security vulnerability.
Please register to edit this issue