FI-2024-012 - Sensitive information in agent log file when detailed logging is enabled with Robot Schedule Enterprise prior to version 3.05
Notes
Fortra's Robot Schedule Enterprise Agent prior to version 3.05 writes FTP username and password information to the agent log file when detailed logging is enabled. The agent log information is accessible via the following ways:
While the agent job is running, the agent log is readable by any user on the windows agent system. Once the agent job is done, the log file is removed.
After the agent is done, the log is accessible as a spooled file on the IBM i. Any user on the IBM i with access to the spool file can access the agent log.
In addition, the agent log is also written to a physical file on the IBM i. This file (as well as a related logical file) has *PUBLIC *USE authority in a library that defaults to *PUBLIC *USE, meaning any IBM i profile on the system can access this log.
The agent log can be retrieved via the Robot Schedule GUI. If the user has configured Robot Schedule's security, the user must also have access to job completion history to access the agent log through the GUI.
NOTE: If detailed logging is NOT enabled users do not have exposure to this vulnerability.