CVE-2012-3503 — CRITICAL (9.8)

Q: How severe is CVE-2012-3503?

CVE-2012-3503 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2012-3503?

Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Katello, Redhat Enterprise Linux Server.

Vulnerability Description

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Theforeman	Katello	<= 1.0
Redhat	Enterprise Linux Server	6.0

Related Weaknesses (CWE)

CWE-798

References

http://rhn.redhat.com/errata/RHSA-2012-1186.htmlBroken LinkThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1187.htmlThird Party Advisory
http://secunia.com/advisories/50344Broken Link
http://www.securityfocus.com/bid/55140Broken LinkThird Party AdvisoryVDB Entry
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3Patch
https://github.com/Katello/katello/pull/499Issue Tracking
http://rhn.redhat.com/errata/RHSA-2012-1186.htmlBroken LinkThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1187.htmlThird Party Advisory
http://secunia.com/advisories/50344Broken Link
http://www.securityfocus.com/bid/55140Broken LinkThird Party AdvisoryVDB Entry
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3Patch
https://github.com/Katello/katello/pull/499Issue Tracking

FAQ

What is CVE-2012-3503?

CVE-2012-3503 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allow...

How severe is CVE-2012-3503?

CVE-2012-3503 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2012-3503?

Check the references section above for vendor advisories and patch information. Affected products include: Theforeman Katello, Redhat Enterprise Linux Server.