The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.
References
Link | Resource |
---|---|
http://rhn.redhat.com/errata/RHSA-2012-1186.html | Broken Link Third Party Advisory |
http://rhn.redhat.com/errata/RHSA-2012-1187.html | Third Party Advisory |
http://secunia.com/advisories/50344 | Broken Link |
http://www.securityfocus.com/bid/55140 | Broken Link Third Party Advisory VDB Entry |
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3 | Patch |
https://github.com/Katello/katello/pull/499 | Issue Tracking |
Configurations
History
13 Feb 2024, 16:44
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:theforeman:katello:*:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* |
|
CWE | CWE-798 | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 9.8 |
First Time |
Redhat
Theforeman Theforeman katello Redhat enterprise Linux Server |
|
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2012-1186.html - Broken Link, Third Party Advisory | |
References | (SECUNIA) http://secunia.com/advisories/50344 - Broken Link | |
References | (CONFIRM) https://github.com/Katello/katello/pull/499 - Issue Tracking | |
References | (REDHAT) http://rhn.redhat.com/errata/RHSA-2012-1187.html - Third Party Advisory | |
References | (BID) http://www.securityfocus.com/bid/55140 - Broken Link, Third Party Advisory, VDB Entry | |
References | (CONFIRM) https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3 - Patch |
Information
Published : 2012-08-25 10:29
Updated : 2024-02-28 12:00
NVD link : CVE-2012-3503
Mitre link : CVE-2012-3503
CVE.ORG link : CVE-2012-3503
JSON object : View
Products Affected
redhat
- enterprise_linux_server
theforeman
- katello
CWE
CWE-798
Use of Hard-coded Credentials