CRITICAL 9.8

GHSA-5xv2-q475-rwrh

Katello uses hard coded credential

상세

The installation script in Katello 1.0 and earlier does not properly generate the `Application.config.secret_token` value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default `secret_token`.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

RubyGems / katello

최초 영향 버전: 0 수정 버전: 1.0.6

수정 bundle update katello

RubyGems / katello

최초 영향 버전: 1.1.0 수정 버전: 1.1.7

수정 bundle update katello

참고

https://nvd.nist.gov/vuln/detail/CVE-2012-3503 [ADVISORY]
https://github.com/Katello/katello/pull/499 [WEB]
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3 [WEB]
https://github.com/Katello/katello [PACKAGE]
https://github.com/advisories/GHSA-5xv2-q475-rwrh [ADVISORY]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/katello/CVE-2012-3503.yml [WEB]
https://web.archive.org/web/20140806122239/http://secunia.com/advisories/50344 [WEB]
https://web.archive.org/web/20200229120740/http://www.securityfocus.com/bid/55140 [WEB]
http://rhn.redhat.com/errata/RHSA-2012-1186.html [WEB]
http://rhn.redhat.com/errata/RHSA-2012-1187.html [WEB]