CVE-2024-7143

HIGH

Pulp - Insecure Inherited Permissions via AutoAddObjPermsMixin

Title source: llm
STIX 2.1

Description

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

References (6)

Core 6

Scores

CVSS v3 8.3
EPSS 0.0061
EPSS Percentile 44.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-277
Status published
Products (15)
pulpproject/pulp
pypi/pulpcore 0PyPI
Red Hat/Red Hat Ansible Automation Platform 2
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8 0:1.26.20-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8 0:1.4.8-1.1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8 0:3.28.32-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8 0:4.2.16-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8 0:4.5.11-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 9 0:1.26.20-1.el9ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 9 0:1.4.8-1.1.el9ap
... and 5 more
Published Aug 07, 2024
Tracked Since Feb 18, 2026