CVE-2012-3503

Опубликовано: 25 авг. 2012

Источник: nvd

CVSS3: 9.8

CVSS2: 6.5

EPSS Низкий

Описание

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.

Ссылки

http://rhn.redhat.com/errata/RHSA-2012-1186.html
Broken Link
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1187.html
Third Party Advisory
http://secunia.com/advisories/50344
Broken Link
http://www.securityfocus.com/bid/55140
Broken Link
Third Party Advisory
VDB Entry
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3
Patch
https://github.com/Katello/katello/pull/499
Issue Tracking
http://rhn.redhat.com/errata/RHSA-2012-1186.html
Broken Link
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1187.html
Third Party Advisory
http://secunia.com/advisories/50344
Broken Link
http://www.securityfocus.com/bid/55140
Broken Link
Third Party Advisory
VDB Entry
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3
Patch
https://github.com/Katello/katello/pull/499
Issue Tracking

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:theforeman:katello:*:*:*:*:*:*:*:*

Версия до 1.0 (включая)

Конфигурация 2

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

EPSS

Процентиль: 79%

0.01303

Низкий

9.8 Critical

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-798

Связанные уязвимости

CVE-2012-3503

redhat

больше 13 лет назад

GHSA-5xv2-q475-rwrh