Updated advisory posts against rubysec/ruby-advisory-db@9920c49

Author: jasnow

advisories/_posts/2022-05-17-CVE-2012-3503.md

@@ -0,0 +1,36 @@
+---
+layout: advisory
+title: 'CVE-2012-3503 (katello): Katello uses hard coded credential'
+comments: false
+categories:
+- katello
+advisory:
+  gem: katello
+  cve: 2012-3503
+  ghsa: 5xv2-q475-rwrh
+  url: https://github.com/advisories/GHSA-5xv2-q475-rwrh
+  title: Katello uses hard coded credential
+  date: 2022-05-17
+  description: |
+    The installation script in Katello 1.0 and earlier does not properly
+    generate the `Application.config.secret_token` value, which causes
+    each default installation to have the same secret token, and allows
+    remote attackers to authenticate to the CloudForms System Engine
+    web interface as an arbitrary user by creating a cookie using the
+    default `secret_token`.
+  cvss_v2: 6.5
+  cvss_v3: 9.8
+  patched_versions:
+  - "~> 1.0.6"
+  - ">= 1.1.7"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2012-3503
+    - https://github.com/Katello/katello/pull/499
+    - https://github.com/Katello/katello/commit/7c256fef9d75029d0ffff58ff1dcda915056d3a3
+    - http://rhn.redhat.com/errata/RHSA-2012-1186.html
+    - http://rhn.redhat.com/errata/RHSA-2012-1187.html
+    - https://web.archive.org/web/20140806122239/http://secunia.com/advisories/50344
+    - https://web.archive.org/web/20200229120740/http://www.securityfocus.com/bid/55140
+    - https://github.com/advisories/GHSA-5xv2-q475-rwrh
+---