Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01eHYyLXE0NzUtcndyaM4AAfRW
Katello uses hard coded credential
The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token
value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token
.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eHYyLXE0NzUtcndyaM4AAfRW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 17 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-5xv2-q475-rwrh, CVE-2012-3503
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-3503
- https://github.com/Katello/katello/pull/499
- https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3
- http://rhn.redhat.com/errata/RHSA-2012-1186.html
- http://rhn.redhat.com/errata/RHSA-2012-1187.html
- https://web.archive.org/web/20140806122239/http://secunia.com/advisories/50344
- https://web.archive.org/web/20200229120740/http://www.securityfocus.com/bid/55140
- https://github.com/advisories/GHSA-5xv2-q475-rwrh
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2012-3503.yml
Blast Radius: 9.8
Affected Packages
rubygems:katello
Dependent packages: 9Dependent repositories: 10
Downloads: 338,832 total
Affected Version Ranges: >= 1.1.0, < 1.1.7, < 1.0.6
Fixed in: 1.1.7, 1.0.6
All affected versions:
All unaffected versions: 1.5.0, 2.2.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.4.2, 3.4.4, 3.4.5, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.8.1, 3.9.0, 3.9.1, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.14.0, 3.14.1, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.16.0, 3.16.1, 3.16.2, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.18.4, 3.18.5, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.6.2, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.11.0, 4.11.1, 4.12.0