Описание
The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.
Дополнительная информация
Статус:
Low
https://bugzilla.redhat.com/show_bug.cgi?id=849210Katello: Application.config.secret_token is not generated properly
EPSS
Процентиль: 79%
0.01303
Низкий
5 Medium
CVSS2
Связанные уязвимости
CVSS3: 9.8
nvd
больше 13 лет назад
The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.
EPSS
Процентиль: 79%
0.01303
Низкий
5 Medium
CVSS2