GHSA SYNC: 1 brand new advisory (#774)

jasnow · postmodern · web-flow · commit 9920c496ab9e · 2024-04-10T16:15:17.000-07:00
* Added `patched_versions` to `gems/katello/CVE-2012-3503.yml`. The vulnerability was patched in commit Katello/katello@1fd91b1, which was tagged by the `katello-1.0.6-1` and `katello-1.1.7-1` release tags. However, the first gem version of katello published to https://rubygems.org is 1.5.0. I suspect that prior to the katello-1.5.0 gem, katello was installed directly from git. --------- Co-authored-by: Postmodern <postmodern.mod3@gmail.com>
diff --git a/gems/katello/CVE-2012-3503.yml b/gems/katello/CVE-2012-3503.yml
@@ -0,0 +1,29 @@
+---
+gem: katello
+cve: 2012-3503
+ghsa: 5xv2-q475-rwrh
+url: https://github.com/advisories/GHSA-5xv2-q475-rwrh
+title: Katello uses hard coded credential
+date: 2022-05-17
+description: |
+  The installation script in Katello 1.0 and earlier does not properly
+  generate the `Application.config.secret_token` value, which causes
+  each default installation to have the same secret token, and allows
+  remote attackers to authenticate to the CloudForms System Engine
+  web interface as an arbitrary user by creating a cookie using the
+  default `secret_token`.
+cvss_v2: 6.5
+cvss_v3: 9.8
+patched_versions:
+  - "~> 1.0.6"
+  - ">= 1.1.7"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-3503
+    - https://github.com/Katello/katello/pull/499
+    - https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3
+    - http://rhn.redhat.com/errata/RHSA-2012-1186.html
+    - http://rhn.redhat.com/errata/RHSA-2012-1187.html
+    - https://web.archive.org/web/20140806122239/http://secunia.com/advisories/50344
+    - https://web.archive.org/web/20200229120740/http://www.securityfocus.com/bid/55140
+    - https://github.com/advisories/GHSA-5xv2-q475-rwrh
