Katello uses hard coded credential
Published: May 17, 2022
SECURITY IDENTIFIERS
- CVE: CVE-2012-3503 (NVD)
- GHSA: GHSA-5xv2-q475-rwrh
GEM
SEVERITY
PATCHED VERSIONS
~> 1.0.6
>= 1.1.7
DESCRIPTION
The installation script in Katello 1.0 and earlier does not properly
generate the Application.config.secret_token value, which causes
each default installation to have the same secret token, and allows
remote attackers to authenticate to the CloudForms System Engine
web interface as an arbitrary user by creating a cookie using the
default secret_token.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2012-3503
- https://github.com/Katello/katello/pull/499
- https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3
- http://rhn.redhat.com/errata/RHSA-2012-1186.html
- http://rhn.redhat.com/errata/RHSA-2012-1187.html
- https://web.archive.org/web/20140806122239/http://secunia.com/advisories/50344
- https://web.archive.org/web/20200229120740/http://www.securityfocus.com/bid/55140
- https://github.com/advisories/GHSA-5xv2-q475-rwrh