CVE-2010-3852

Published: Nov 6, 2010Modified: Apr 29, 2026

6.4

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability: 10.0 / Impact: 4.9

Source: NVD

Description

The default configuration of Luci 0.22.4 and earlier in Red Hat Conga uses "[INSERT SECRET HERE]" as its secret key for cookies, which makes it easier for remote attackers to bypass repoze.who authentication via a forged ticket cookie.

Affected (1)

Products: Redhat: Luci

Redhat

1 product

Luci

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Redhat Luci	Up to 0.22.4

Running on/with	Platform Versions
Redhat Conga	All versions

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (24)

http://git.fedorahosted.org/git/?p=luci.git%3Ba=commit%3Bh=9e0bbf0c5faa198379d945474f7d55da5031cacf

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050244.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050246.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050309.html

Source: secalert@redhat.com

http://osvdb.org/69015

Source: secalert@redhat.com

http://secunia.com/advisories/42113

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/42123

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/44611

Source: secalert@redhat.com

http://www.vupen.com/english/advisories/2010/2873

Source: secalert@redhat.com

Vendor Advisory

http://www.vupen.com/english/advisories/2010/2900

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=626504

Source: secalert@redhat.com

https://exchange.xforce.ibmcloud.com/vulnerabilities/62980

Source: secalert@redhat.com

http://git.fedorahosted.org/git/?p=luci.git%3Ba=commit%3Bh=9e0bbf0c5faa198379d945474f7d55da5031cacf