VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Aug 25, 2012· Updated Apr 29, 2026

CVE-2012-3503

CVE-2012-3503

Description

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secret_token value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret_token.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
katelloRubyGems
< 1.0.61.0.6
katelloRubyGems
>= 1.1.0, < 1.1.71.1.7

Affected products

2

Patches

2
7c256fef9d75

Merge pull request #499 from lzap/secret_token

https://github.com/Katello/katelloLukáš ZapletalAug 22, 2012via ghsa
commit
2 files changed · +20 12
  • src/config/initializers/secret_token.rb+13 6 modified
    @@ -1,7 +1,14 @@
-# Be sure to restart your server when you modify this file.
+require 'active_support/secure_random'
 
-# Your secret key for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-Src::Application.config.secret_token = 'f466b184ef680822293d7130f57593a7087a34b5de0607c64d1ceb66fcac4dce6810a6f176feba3fbbf2489de93c0918397c0c275996eb476b2fa6079ab849c1'
+begin
+  # Read token string from the file.
+  token = IO.read('/etc/katello/secret_token')
+  raise RuntimeError, 'Size is too small' if token.length < 9
+  Src::Application.config.secret_token = token.chomp
+rescue Exception => e
+  # If anything is wrong make sure the token is random. This is safe even when
+  # Katello is not configured correctly for any reason (but session is lost
+  # after each restart).
+  Rails.logger.warn "Using randomly generated secure token: #{e.message}"
+  Src::Application.config.secret_token = ActiveSupport::SecureRandom.hex(80)
+end
  • src/katello.spec+7 6 modified
    @@ -364,19 +364,20 @@ install -m 644 man/katello-service.8 %{buildroot}/%{_mandir}/man8
 /sbin/chkconfig --add %{name}
 /sbin/chkconfig --add %{name}-jobs
 
-%postun common
-#update config/initializers/secret_token.rb with new key
-NEWKEY=$(</dev/urandom tr -dc A-Za-z0-9 | head -c128)
-sed -i "s/^Src::Application.config.secret_token = '.*'/Src::Application.config.secret_token = '$NEWKEY'/" \
-    %{homedir}/config/initializers/secret_token.rb
+#Generate secret token if the file does not exist
+#(this must be called both for installation and upgrade)
+TOKEN=/etc/katello/secret_token
+test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN \
+    && chmod 600 $TOKEN && chown katello:katello $TOKEN)
 
 %posttrans common
-rm %{datadir}/Gemfile.lock
+rm -f %{datadir}/Gemfile.lock 2>/dev/null
 /sbin/service %{name} condrestart >/dev/null 2>&1 || :
 
 %files
 %attr(600, katello, katello)
 %{_bindir}/katello-*
+%ghost %attr(600, katello, katello) %{_sysconfdir}/%{name}/secret_token
 %{homedir}/app/controllers
 %{homedir}/app/helpers
 %{homedir}/app/mailers
6a7a1e037e80
https://github.com/Katello/katellovia nvd-ref
PR #499

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.