CVE-2012-3503 – Katello: Application.config.secret_token is not generated properly

https://notcve.org/view.php?id=CVE-2012-3503

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token. El script de instalación en Katello 1.0 y anteriores no genera correctamente el valor Application.config.secret_token, lo que hace que cada instalación por defecto tenga el mismo testigo secreto, y permite a atacantes remotos autenticarse en el sistema de interfaz web CloudForms Engine como un usuario arbitrario creando una cookie mediante el secret_token por defecto. • http://rhn.redhat.com/errata/RHSA-2012-1186.html http://rhn.redhat.com/errata/RHSA-2012-1187.html http://secunia.com/advisories/50344 http://www.securityfocus.com/bid/55140 https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3 https://github.com/Katello/katello/pull/499 https://access.redhat.com/security/cve/CVE-2012-3503 https://bugzilla.redhat.com/show_bug.cgi?id=849210 • CWE-798: Use of Hard-coded Credentials •