← Back

CVE-2012-3503

nvd nist
Published: Aug 25, 2012Modified: Apr 29, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.

Affected (2)

Theforeman
1 product
Katello
Redhat
1 product
Enterprise Linux Server
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Katello
Up to 1.0
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Enterprise Linux Server
Version 6.0

Related CWEs

CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.

References (12)

Source: secalert@redhat.com
Broken LinkThird Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Broken Link
Source: secalert@redhat.com
Broken LinkThird Party AdvisoryVDB Entry
Source: secalert@redhat.com
Patch
Source: secalert@redhat.com
Issue Tracking
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking

Timeline

No history available yet.