CVE-2012-3503

Name: CVE-2012-3503
Creator: NVD / NIST
Published: 2012-08-25T10:29:52.693+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 3.00%

Last modified Jun 16, 2026

CVE-2012-3503 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.. EPSS estimates a 3.00% chance of exploitation in the next 30 days.

Description

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

3.00%

85.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-798

Affected Software

Vendor	Product	Versions
Theforeman	Katello	<= 1.0
Redhat	Enterprise Linux Server	6.0

References

http://rhn.redhat.com/errata/RHSA-2012-1186.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1187.htmlThird Party Advisory
http://secunia.com/advisories/50344Broken Link
http://www.securityfocus.com/bid/55140Broken Link, Third Party Advisory, VDB Entry
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3Patch
https://github.com/Katello/katello/pull/499Issue Tracking
http://rhn.redhat.com/errata/RHSA-2012-1186.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1187.htmlThird Party Advisory
http://secunia.com/advisories/50344Broken Link
http://www.securityfocus.com/bid/55140Broken Link, Third Party Advisory, VDB Entry
https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3Patch
https://github.com/Katello/katello/pull/499Issue Tracking

Timeline

Published: Aug 25, 2012
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2012-3503?

How severe is CVE-2012-3503?

CVE-2012-3503 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 3.00% probability of exploitation in the next 30 days.

How do I fix CVE-2012-3503?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2012-3503?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST