Aaron Weitekamp

**Name of the Vulnerable Software and Affected Versions** Aeolus Configuration Server versions prior to 1.1.2 **Description** The issue concerns the aeolus-configserver-setup in the Aeolus Configuration Server, which is used in Red Hat CloudForms Cloud Engine. It uses world-readable permissions for a temporary file in /tmp. This allows local users to read credentials by accessing this file. **Recommendations** For versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the temporary files in /tmp to minimize the risk of credential exposure.

**Name of the Vulnerable Software and Affected Versions** Aeolus Configuration Server versions prior to 1.1.2 **Description** The issue allows local users to read plaintext passwords by accessing the log file due to world-readable permissions. **Recommendations** For versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue. As a temporary workaround, consider changing the permissions of the /var/log/aeolus-configserver/configserver.log file to restrict access.